Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Public DNS Servers Behind a Firewall

Posted on 2006-05-25
8
Medium Priority
?
383 Views
Last Modified: 2013-11-16
What ports need to be forwarded through a pix to be able to have dns servers on a private ip instead of a public and still work.  I have tried port 53 and it doesn't seem to be enough.  

This is probably fairly easy but it worth 500 points due to the urgency!!!!  

My dns servers are slammed with bugs from having public IPs





0
Comment
Question by:centrepc
8 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 16764181
What is the DNS server software? If you're using BIND, you need to configure it to use only port 53.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16764237
Umm, port 53 using what?  Normal DNS uses UDP not TCP.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16764269
port 53/UDP for standard DNS queries
port 53/TCP for DNS zone transfers

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 11

Accepted Solution

by:
prueconsulting earned 2000 total points
ID: 16764299
on the Pix set it up with a translate

static (DMZ-1,outside) tcp DNS-externalip  53 DMZ1-IP 53 netmask 255.255.255.255 0 0

then control it with an access list

access-list 100 permit tcp any dns-externalip eq 53
access-list 100 permit udp any dns-externalip eq 53

Also ensure
fixup protocol dns

0
 
LVL 2

Expert Comment

by:marcin79
ID: 16764473
as somebody told before 53/udp and 53/tcp should be enough
0
 
LVL 5

Author Comment

by:centrepc
ID: 16764531
Thanks to all for the quick responses.  I will try the suggestions later tonight when the server can be down for a few minutes.

To answer a couple of your questions.

I am running 2000 server dns.  I think when I first tried to forward port 53 it was only tcp and udp.  That may have been the problem.

Someone told me that dns can randomly change ports that it communicates on.  Can this be even close to being true.  How would it work if there isn't a standard port.

Thanks again for the help  
0
 
LVL 2

Expert Comment

by:marcin79
ID: 16764562
every dns query come to 53/udp port and zone tranfer comes to 53/tcp port

maybe You  have something blocked/blackilted on Your firewall ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16764705
Your PIX also has a dns fixup enabled. You may have to increase the default size from 512 to 1024
unless you are a Primay DNS and have a secondary DNS outside the PIX, you should not be allowing any zone transfers - ever. All you should need is UDP/53
How old is your PIX OS version?
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This program is used to assist in finding and resolving common problems with wireless connections.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question