troubleshooting Question
Athoritative DNS Servers behind Cisco ASA Firewall
asked on
We have 2 Windows 2003 DNS servers that are authoritative for about 40 Internet domains, that have been hosting behind a Cisco Pix 515e firewall for years. They are both small Active Directory domain controllers with Microsoft DNS on them, and Active Directory keeps the DNS info replicated for us. We opened up ports 53 TCP & UDP, added static addresses in the firewall to the inside DNS servers address (10.9.10.5 & .6) and outside address (69.xxx.yyy.5 & .6), and had ISP make both servers authoritative and life was good. We also have a simple Windows 2003 based Web server and IIS server that host some web sites and e-mail and they are behind the same firewall and are part of the same Active Directory domain.
Then a customer wanted us to host DNS for a domain name xyz.IS which is an Iceland domain extention. During the process of pointing the .IS name to our DNS servers, using Zonecheck.fr we found that the standard default Microsoft DNS does not meet several current DNS server requirements. We tweaked several items on the DNS servers (such as TTL) to meet the current DNS server requirements and finally got down to one requirement that proved tough to overcome. When zonecheck queried our DNS servers it was also seeing the actual inside address (10.9.10.5) and didn't like it because it is not valid on Internet, even though DNS requests actually worked.
So, we temporarilly changed the IP address for both servers to be the actual valid Outside addresses (69.xxx.yyy.5 &.6) and placed them outside the firewall - and then Zonecheck was happy.
Now we want to put the two DNS servers back behind our firewall since they are much safer that way and not have all ports on these servers exposed to the wicked Internet. This has created a catch-22 situation for us. If we go back to using inside addresses and move them inside the firewall then Zonecheck won't be happy, and if we put them in a DMZ then Active Directory won't be happy with the mail and web server inside the firewall and the domain controllers outside - and the DNS servers outside will be fully exposed to the wicked Internet, and if we put some or all of the servers in a DMZ then some or all will be exposed to the wicked Internet.
It would be great if we could somehow use the actual valid Internet addresses on these DNS servers behind the Pix firewall and have the Pix do some kind of a pass thru mode out to the Internet but I don't know if such a pass thru mode exists. I thought about using 2 Cisco firewalls with a DMZ in the middle but I can't put a valid Internet address on the outside of the outside firewall and then put another address in the same subnet on the DMZ side of the same outside firewall (the Pix complains) - so that won't work. I don't have any other ideas. Is there a reasonable way to solve this? Please help!! :-) Thanks a bunch!!
Then a customer wanted us to host DNS for a domain name xyz.IS which is an Iceland domain extention. During the process of pointing the .IS name to our DNS servers, using Zonecheck.fr we found that the standard default Microsoft DNS does not meet several current DNS server requirements. We tweaked several items on the DNS servers (such as TTL) to meet the current DNS server requirements and finally got down to one requirement that proved tough to overcome. When zonecheck queried our DNS servers it was also seeing the actual inside address (10.9.10.5) and didn't like it because it is not valid on Internet, even though DNS requests actually worked.
So, we temporarilly changed the IP address for both servers to be the actual valid Outside addresses (69.xxx.yyy.5 &.6) and placed them outside the firewall - and then Zonecheck was happy.
Now we want to put the two DNS servers back behind our firewall since they are much safer that way and not have all ports on these servers exposed to the wicked Internet. This has created a catch-22 situation for us. If we go back to using inside addresses and move them inside the firewall then Zonecheck won't be happy, and if we put them in a DMZ then Active Directory won't be happy with the mail and web server inside the firewall and the domain controllers outside - and the DNS servers outside will be fully exposed to the wicked Internet, and if we put some or all of the servers in a DMZ then some or all will be exposed to the wicked Internet.
It would be great if we could somehow use the actual valid Internet addresses on these DNS servers behind the Pix firewall and have the Pix do some kind of a pass thru mode out to the Internet but I don't know if such a pass thru mode exists. I thought about using 2 Cisco firewalls with a DMZ in the middle but I can't put a valid Internet address on the outside of the outside firewall and then put another address in the same subnet on the DMZ side of the same outside firewall (the Pix complains) - so that won't work. I don't have any other ideas. Is there a reasonable way to solve this? Please help!! :-) Thanks a bunch!!
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.