dns server behind a firewall - ASA 5505

Posted on 2009-04-15
Last Modified: 2013-11-16
I have a DNS server that is only an internal DNS server behind a new Cisco ASA 5505.  The server does not have a public IP address.  I thought that I opened port 53 tcp and udp properly, but it is not working so i must be doing something wrong.

How should I set it up so the DNS server can work and look out at forward DNS servers.  What do I have to do for security rules and natting rules?
Question by:ryan80
    LVL 16

    Expert Comment

    Are you sure it's an ASA problem and not a DNS srever config problem? Is the DNS server set up to *allow* queries from off-net?

    As you have it on a private address you WILL have to set up a NAT mapping to it as well as permitting the relevant ports (53 TCP and 53 UDP - you already have that I think.)

    As you've chosen to use a firewall that speaks only gibberish, I can't help you with the config side :-)

    LVL 57

    Assisted Solution

    by:Pete Long
    >>As you've chosen to use a firewall that speaks only gibberish,
    LOL -
    Post your firewall config and one of us will take a look,
    On the DNS server make sure you don not have a root zone (will look like a zone called "." thats a full stop without the quotes - or period if your american)
    Make sure the DNS zone has either root hints listed or you have configured forwarders that point to your ISP's DNS servers.
    LVL 12

    Author Comment

    the dns server is fine. I have had it running and working for a few weeks without the firewall.

    currently there is nothing in the firewall for the dns server. I forgot to add it.

    what line will i need to add? something like:

    static (outside,inside) tcp any 53 tcp 53

    and the an access rule to allow port 53 as well?

    I tried a few things but they didnt work. ill post the config when i am there next.
    LVL 9

    Accepted Solution

    What you need to do is.

    Make a static NAT or PAT for port 53 and then make an acl that allows queries to port 53 of the IP address.

    However I am not sure if you want to have DNS queries sent to the DNS server from the internet or you just want to enable your DNS server to forward queries to a ISP DNS server.  

    LVL 12

    Author Closing Comment

    Thanks for the help.  I found that I had it set up properly with security rules, and I have a dnamic NAT rule right now until everything is running smoothly.  

    What is was is that the IP address for the outside connection to the internet was having problems.  It was changed to an IP address that was NATed to another server, causing the issues.

    Thanks for the comment on setting up the DNS queries just to be sent out.
    LVL 57

    Expert Comment

    by:Pete Long

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now