issues getting dns forwards through pix firewall

We have a pix 501 behind a cisco router and are trying to set up internal dns with forwarding for external requests.  

The layout looks like this  

 INTERNET -> CIsco 1840 -> Pix 501 -> Switch -> Lan worstations

The DNS server is on the same subnet and switch as the workstations (192.168)

Im not sure if i need to configure anything specifically to pass DNS requests but if i configure a client directly with the ISP DNS server, it works fine.  But when our internal DNS server tries to forward queries, it fails.  

On the firewall log I see the following:

"106023: Deny udp src outside: dst inside: by access-group "server_access" "

But i already have the access list of

PrivateFW# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list server_access; 5 elements
access-list server_access line 1 permit tcp host host eq 3306 (hitcnt=0)
access-list server_access line 2 permit icmp any any (hitcnt=1195)
access-list server_access line 3 permit udp host eq dnsix (hitcnt=0)
access-list server_access line 4 permit udp host eq domain (hitcnt=0)
access-list server_access line 5 permit udp host eq domain (hitcnt=0)

Who is Participating?
You shouldn't have to set up DNS forwarding to your ISP. Your root hints will help you resolve them. All your doing is sending your DNS request to your ISP who, if it doesn't have the zone on it will use it's root hints to forward you on anyhow. You need to make sure TCP/UDP Port 53 is open on your firewall which might be causing the problem also. I'm suspecting though that your DNS isn't correct, that's why it works on the workstations but not when using the server.

Right click on your computers name in DNS and choose properties. Click on your Root Hints tab and see if they show up.
rivetgeekAuthor Commented:
Forgot to add, is ISP's DNS Server is outside interface ip of firewall which connects to router
What are you using for a DNS server, Microsoft?
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

rivetgeekAuthor Commented:
Yes.  MIcrosoft Server 2000.  No AD though
You're DNS is not set up properly then. When you edit the properties of your DNS, does it show you the root hints? A default install of DNS on a Microsoft 2000 server uses it's root hints to resolve names on the internet. When the server is configured to look at itself for DNS, does it have the same problem? Have you verified that the DNS service is running?
rivetgeekAuthor Commented:
The DNS is working for internal hosts.  In the properties, the forwardings are set to the ISPs DNS servers.

I created zones for all our web sites domain names and hosts such as www, dev, admin etc to reach them internally via or

The forwardings should forward queries that the local DNS server doesn't have a zone for to the ISP DNS.

So if i have a zone for and a host for www,  I can set my workstation dns to point to the internal DNS server and get to  However if I try to then get to, for instance, it cant resolve the name.  

I am under the impression that the firewall log file indicates it is blocking the DNS response from the ISP DNS server
rivetgeekAuthor Commented:
This wasn't exactly the issue but it seems there were some funky settings so i killed it all and started over configuring it and it worked fine.

Great! Glad to see it's working! Have a good day!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.