• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

FireBox cannot resolve domain names

We implemented a FireBox x550e in place of a Cisco Pix.  All the configuration settings seem to be copied over correctly.  When the FireBox is in use our DNS does not work.  Using public IP's is the only way to get to Internet sites.  Why would the FireBox effect our DNS.  Is the DNS entered incorrectly?  What else could it be?
0
level9tech
Asked:
level9tech
  • 5
  • 5
1 Solution
 
dpk_walCommented:
I think the DNS Server is getting blocked by WG firebox default packet handler and hence getting moved under Blocked sites [you would be able to see it under System Manager->Blocked Sites]; if this is the case, go to Policy Manager->Setup->Intrusion Prevention->Default Packet Handling->Uncheck the box "Auto-block source of packets not handled"; this should solve the problem.

To make sure that DNS is correctly defined in Policy Manager->Network->configuration->WINS/DNS.

The steps I have listed would depend on the software version of WG management software; across versions the process remains same but the options might differ; if you have difficult following let me the exact software version and I would list out the exact steps for you.

Please implement and update.

Thank you.
0
 
level9techAuthor Commented:
DNS is still not being resolved.  Any ideas?
0
 
dpk_walCommented:
Where is your DNS hosted, is it on the inside network; or at your ISPs end; if inside make sure that you are using the internal IP and not the public IP for DNS.

Please check and update.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
level9techAuthor Commented:
I made sure that check box was unchecked in policy manager, also I am sure I have the correct dns info.

I am using our internal dns server to resolve names.   I need to because I am running a windows domain... any ideas what the issue could be ?
0
 
dpk_walCommented:
As I asked in my previous post, are you using internal IP or external IP address for DNS; if you are using external IP address things would not work because in this case the ingress and egress interface would be same on the packet; same thing might work in Cisco as they implement something called hairpin.

Please note you need to use internal IP on the machines only then DNS would work.

One more thing, is your DNS server itself able to go the internet and resolve sites. Also, have you created any 1-1 NAT rules and aliases for the same IP and using this IP for DNS, if so, you need to either remove alias or 1-1 NAT.

Please provide details if you are able to ping/traceroute/do dns lookups from the DNS server itself. further, if you specify some public DNS on some machine is the machine then able to resolve by name.

Please udpate.

Thank you.
0
 
level9techAuthor Commented:
I am using the internal ip for dns. is there anything inside the firebox that i need to checK? I dont understand why its not working
0
 
dpk_walCommented:
Is the DNS server itself able to resolve names and go to the internet?
0
 
level9techAuthor Commented:
yes it resolves names and gets out fine
0
 
level9techAuthor Commented:
anyone have any ideas?
0
 
dpk_walCommented:
so if u were to do nslookup from an internal machine for some website say www.yahoo.com; with the machine DNS pointing to internal DNS server what is the result; further if you specify command as:
nslookup www.yahoo.com dns-server-ip
where dns-server-ip is not your DNS Server then do you get any different output.

As your DNS Server can resolve website and can connect to the internet, then I would request you to make sure that the DNS server can resolve names as:
nslookup www.yahoo.com 127.0.0.1

Can you also check to make sure that DNS service/daemon is running properly and there is no dependency which might be causing the problem.

Finally can you run wireshark or some other packet capture tool on your server and one of the client machines and check if the packets are first coming from client to the server and then reaching back to the client with the correct data; also, if the server does not have the address is the server itself requesting for name resolution.

Please check and update.

Thank you.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now