• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 790
  • Last Modified:

dns server behind a firewall - ASA 5505

I have a DNS server that is only an internal DNS server behind a new Cisco ASA 5505.  The server does not have a public IP address.  I thought that I opened port 53 tcp and udp properly, but it is not working so i must be doing something wrong.

How should I set it up so the DNS server can work and look out at forward DNS servers.  What do I have to do for security rules and natting rules?
2 Solutions
Are you sure it's an ASA problem and not a DNS srever config problem? Is the DNS server set up to *allow* queries from off-net?

As you have it on a private address you WILL have to set up a NAT mapping to it as well as permitting the relevant ports (53 TCP and 53 UDP - you already have that I think.)

As you've chosen to use a firewall that speaks only gibberish, I can't help you with the config side :-)

Pete LongTechnical ConsultantCommented:
>>As you've chosen to use a firewall that speaks only gibberish,
Post your firewall config and one of us will take a look,
On the DNS server make sure you don not have a root zone (will look like a zone called "." thats a full stop without the quotes - or period if your american)
Make sure the DNS zone has either root hints listed or you have configured forwarders that point to your ISP's DNS servers.
ryan80Author Commented:
the dns server is fine. I have had it running and working for a few weeks without the firewall.

currently there is nothing in the firewall for the dns server. I forgot to add it.

what line will i need to add? something like:

static (outside,inside) tcp any 53 tcp 53

and the an access rule to allow port 53 as well?

I tried a few things but they didnt work. ill post the config when i am there next.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

What you need to do is.

Make a static NAT or PAT for port 53 and then make an acl that allows queries to port 53 of the IP address.

However I am not sure if you want to have DNS queries sent to the DNS server from the internet or you just want to enable your DNS server to forward queries to a ISP DNS server.  

ryan80Author Commented:
Thanks for the help.  I found that I had it set up properly with security rules, and I have a dnamic NAT rule right now until everything is running smoothly.  

What is was is that the IP address for the outside connection to the internet was having problems.  It was changed to an IP address that was NATed to another server, causing the issues.

Thanks for the comment on setting up the DNS queries just to be sent out.
Pete LongTechnical ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now