We help IT Professionals succeed at work.
Get Started

Athoritative DNS Servers behind Cisco ASA Firewall

Last Modified: 2012-05-09
We have 2 Windows 2003 DNS servers that are authoritative for about 40 Internet domains, that have been hosting behind a Cisco Pix 515e firewall for years.  They are both small Active Directory domain controllers with Microsoft DNS on them, and Active Directory keeps the DNS info replicated for us.  We opened up ports 53 TCP & UDP, added static addresses in the firewall to the inside DNS servers address ( & .6) and outside address (69.xxx.yyy.5 & .6), and had ISP make both servers  authoritative and life was good.  We also have a simple Windows 2003 based Web server and IIS server that host some web sites and e-mail and they are behind the same firewall and are part of the same Active Directory domain.

Then a customer wanted us to host DNS for a domain name xyz.IS which is an Iceland domain extention.  During the process of pointing the .IS name to our DNS servers, using Zonecheck.fr we found that the standard default Microsoft DNS does not meet several current DNS server requirements.  We tweaked several items on the DNS servers (such as TTL) to meet the current DNS server requirements and finally got down to one requirement that proved tough to overcome.  When zonecheck queried our DNS servers it was also seeing the actual inside address ( and didn't like it because it is not valid on Internet, even though DNS requests actually worked.  

So, we temporarilly changed the IP address for both servers to be the actual valid Outside addresses (69.xxx.yyy.5 &.6) and placed them outside the firewall - and then Zonecheck was happy.  

Now we want to put the two DNS servers back behind our firewall since they are much safer that way and not have all ports on these servers exposed to the wicked Internet.  This has created a catch-22 situation for us.  If we go back to using inside addresses and move them inside the firewall then Zonecheck won't be happy, and if we put them in a DMZ then Active Directory won't be happy with the mail and web server inside the firewall and the domain controllers outside - and the DNS servers outside will be fully exposed to the wicked Internet, and if we put some or all of the servers in a DMZ then some or all will be exposed to the wicked Internet.  

It would be great if we could somehow use the actual valid Internet addresses on these DNS servers behind the Pix firewall and have the Pix do some kind of a pass thru mode out to the Internet but I don't know if such a pass thru mode exists.  I thought about using 2 Cisco firewalls with a DMZ in the middle but I can't put a valid Internet address on the outside of the outside firewall and then put another address in the same subnet on the DMZ side of the same outside firewall (the Pix complains) - so that won't work.  I don't have any other ideas.  Is there a reasonable way to solve this?  Please help!!  :-)  Thanks a bunch!!
Watch Question
Top Expert 2010
This problem has been solved!
Unlock 1 Answer and 9 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE