• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

dns server behind a firewall - ASA 5505

I have a DNS server that is only an internal DNS server behind a new Cisco ASA 5505.  The server does not have a public IP address.  I thought that I opened port 53 tcp and udp properly, but it is not working so i must be doing something wrong.

How should I set it up so the DNS server can work and look out at forward DNS servers.  What do I have to do for security rules and natting rules?
2 Solutions
Are you sure it's an ASA problem and not a DNS srever config problem? Is the DNS server set up to *allow* queries from off-net?

As you have it on a private address you WILL have to set up a NAT mapping to it as well as permitting the relevant ports (53 TCP and 53 UDP - you already have that I think.)

As you've chosen to use a firewall that speaks only gibberish, I can't help you with the config side :-)

Pete LongConsultantCommented:
>>As you've chosen to use a firewall that speaks only gibberish,
Post your firewall config and one of us will take a look,
On the DNS server make sure you don not have a root zone (will look like a zone called "." thats a full stop without the quotes - or period if your american)
Make sure the DNS zone has either root hints listed or you have configured forwarders that point to your ISP's DNS servers.
ryan80Author Commented:
the dns server is fine. I have had it running and working for a few weeks without the firewall.

currently there is nothing in the firewall for the dns server. I forgot to add it.

what line will i need to add? something like:

static (outside,inside) tcp any 53 tcp 53

and the an access rule to allow port 53 as well?

I tried a few things but they didnt work. ill post the config when i am there next.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

What you need to do is.

Make a static NAT or PAT for port 53 and then make an acl that allows queries to port 53 of the IP address.

However I am not sure if you want to have DNS queries sent to the DNS server from the internet or you just want to enable your DNS server to forward queries to a ISP DNS server.  

ryan80Author Commented:
Thanks for the help.  I found that I had it set up properly with security rules, and I have a dnamic NAT rule right now until everything is running smoothly.  

What is was is that the IP address for the outside connection to the internet was having problems.  It was changed to an IP address that was NATed to another server, causing the issues.

Thanks for the comment on setting up the DNS queries just to be sent out.
Pete LongConsultantCommented:

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now