asked on

Zone Transfers/DNS-Is Pix Configured to allow these?

I have configured a Pix 501 to protect a DNS server using the following config. Clients should only be able to conduct Zone transfers and DNS, other than this I want to lock the server down.

However, when I use http://www.kloth.net/services/nslookup.php to test the server, it responds

"server can't find 7.1.1.207.in-addr.arpa: NXDOMAIN"

Any comments on this config?

----------------------------------------------------------

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 5gL encrypted

passwd 15f encrypted

hostname myname

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list alist permit tcp any host 207.1.1.7 eq 7390

access-list alist permit udp any host 207.1.1.7 eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 207.1.1.5 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

access-group alist in interface outside

route outside 0.0.0.0 0.0.0.0 205.244.149.110 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:eee1111ggggggdd

: end

[OK]

Les Moore

fixup protocol dns maximum-length 512
You may need to increase the max length

The error message refers to PTR records in your in-addr.arpa reverse zone. Is it set up correctly to math the forward zones?

blinton25

ASKER

Thanks for the suggestion.

1. Recommened increase in size?

2. I will have to contact my ISP to have them create/modify the DNS reverse entries.

Les Moore

Increase to 768 or 1024

>static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
>static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0
You should do one or the other, not both...
Suggest:

no static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
clear xlate

blinton25

ASKER

Hello,

Thanks for the suggestions.

I got the PTR record setup by the ISP. Now when I query using http://www.kloth.net/services/dig.php I receive a

; <<>> DiG 9.3.2 <<>> @207.1.1.7 testdomain.cad ANY
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25541
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testdomain.cad.            IN      ANY

;; Query time: 193 msec
;; SERVER: 207.1.1.7 #53(207.1.1.7)
;; WHEN: Thu Feb 7 19:57:04 2008
;; MSG SIZE rcvd: 33

However if I query on the server the correct information is returned.

My named.conf looks like this:

//
// named.conf for Red Hat caching-nameserver
//

options {
      directory "/var/named";
      dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
      version "unknown";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below. Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
       // query-source address * port 53;
      allow-recursion {192.168.3.0/24;};
};

//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
      type hint;
      file "named.ca";
};

zone "localdomain" IN {
      type master;
      file "localdomain.zone";
      allow-update { none; };
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
      file "named.ip6.local";
      allow-update { none; };
};

zone "255.in-addr.arpa" IN {
      type master;
      file "named.broadcast";
      allow-update { none; };
};

zone "0.in-addr.arpa" IN {
      type master;
      file "named.zero";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "cad" {
      type slave;
      file "slaves/cad.zon";
      masters { 192.168.1.3;};
      };

zone "co.cad" {
type slave;
file "slaves/co.cad.zon";
masters { 192.168.1.3;};
};

zone "org.cad" {
type slave;
file "slaves/org.cad.zon";
masters { 192.168.1.3;};
};

zone "gov.cad" {
type slave;
file "slaves/gov.cad.zon";
masters { 192.168.1.3;};
};

zone "net.cad" {
type slave;
file "slaves/net.bb.zon";
masters { 192.168.1.3;};
};

zone "biz.bb" {
type slave;
file "slaves/biz.cad.zon";
masters { 192.168.1.3;};
};

zone "com.cad" {
type slave;
file "slaves/com.cad.zon";
masters { 192.168.1.3;};
};

zone "testdomain.com.cad" {
type slave;
file "slaves/testdomain.com.cad.zon";
masters { 192.168.1.3;};
};

blinton25

ASKER

Hello,

lrmoore, can you clarify:

>static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
>static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0

no static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

Are you saying that I should remove my statics references? If so could you clarify why?

blinton25

ASKER

Hello,
When I remove the firewall my DNS server responds ok.

I have observed the following behaviour when trying to open port 53 (TCp/UDP). Someone told me that they had heard this was a bug in the Pix, can anyone confirm?

access-list alist permit tcp any host 207.1.1.7 eq 53
access-list alist permit udp any host 207.1.1.7 eq 53

In both of the above cases, I receive an error:
ACE not added, possible duplicate entry.

My config looks like this:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 4P4Lpmgzv5cZL7lu encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PC1

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

<--- More --->

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit tcp any host 207.1.1.7 eq domain log

access-list 101 permit udp any host 207.1.1.7 eq domain log

access-list 101 permit tcp any host 207.1.1.7 eq www log

access-list 101 permit icmp any any echo-reply log

access-list 101 permit icmp any any echo log

access-list alist permit tcp any host 207.1.1.7 eq 7390

access-list alist permit tcp any host 207.1.1.8 eq 7390

access-list alist permit udp any host 207.1.1.7 eq domain

access-list alist permit udp any host 207.1.1.8 eq domain

access-list alist permit tcp any host 207.1.1.7 eq domain

access-list alist2 permit tcp any host 207.1.1.8 eq 7390

access-list alist2 permit tcp any host 207.1.1.7 eq domain

access-list alist2 permit udp any host 207.1.1.7 eq domain

pager lines 24

logging on

logging timestamp

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 207.1.1.3 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

<--- More --->

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.3 255.255.255.255 inside

pdm location 192.168.1.4 255.255.255.255 inside

pdm location 192.168.1.6 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 207.1.1.7 domain 192.168.1.3 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.7 domain 192.168.1.3 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.7 www 192.168.1.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.8 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.8 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.8 www 192.168.1.4 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 www 192.168.1.6 www netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.7 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.8 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

access-group alist in interface outside

route outside 0.0.0.0 0.0.0.0 200.50.92.193 1

timeout xlate 0:05:00

<--- More --->

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.32 inside

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Les Moore

>told me that they had heard this was a bug in the Pix
There were some bugs in the dns fixup prior to the 6.3(5) version that you are running

>ACE not added, possible duplicate entry.
Because you already have the required entries using "domain" instead of "53"

Try increasing the max-length to 1024
fixup protocol dns maximum-length 1024

blinton25

ASKER

Hello,

So remove the domain entry? What ports does this cover?

Les Moore

No, keep these just exactly as you have them now because domain = 53

access-list 101 permit tcp any host 207.1.1.7 eq domain log
access-list 101 permit udp any host 207.1.1.7 eq domain log

Just try changing the fixup max-length

blinton25

ASKER

Hi,

Note that my access-group is called alist. So are the settings for access-list actually being applied?

BrianL

ASKER CERTIFIED SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

blinton25

ASKER

Sorry, you are correct! I will try changing the max length.

blinton25

ASKER

Hello,

Ok, I applied the fixup but it still isn't working. I can't connect to the DNS server when the firewall is in place.

I then tried using another computer, and noticed that even though I am assigned an IP address (192.166.1.3) via DHCP, I still can't surf.

Is there something in my config file that might be preventing connectivity?

blinton25

ASKER

Hello,

Ok, I needed to restart BIND because of the change in the IP address on the server (public to private). Once I did that the DNS server started working again.