Athoritative DNS Servers behind Cisco ASA Firewall

We have 2 Windows 2003 DNS servers that are authoritative for about 40 Internet domains, that have been hosting behind a Cisco Pix 515e firewall for years.  They are both small Active Directory domain controllers with Microsoft DNS on them, and Active Directory keeps the DNS info replicated for us.  We opened up ports 53 TCP & UDP, added static addresses in the firewall to the inside DNS servers address (10.9.10.5 & .6) and outside address (69.xxx.yyy.5 & .6), and had ISP make both servers  authoritative and life was good.  We also have a simple Windows 2003 based Web server and IIS server that host some web sites and e-mail and they are behind the same firewall and are part of the same Active Directory domain.

Then a customer wanted us to host DNS for a domain name xyz.IS which is an Iceland domain extention.  During the process of pointing the .IS name to our DNS servers, using Zonecheck.fr we found that the standard default Microsoft DNS does not meet several current DNS server requirements.  We tweaked several items on the DNS servers (such as TTL) to meet the current DNS server requirements and finally got down to one requirement that proved tough to overcome.  When zonecheck queried our DNS servers it was also seeing the actual inside address (10.9.10.5) and didn't like it because it is not valid on Internet, even though DNS requests actually worked.  

So, we temporarilly changed the IP address for both servers to be the actual valid Outside addresses (69.xxx.yyy.5 &.6) and placed them outside the firewall - and then Zonecheck was happy.  

Now we want to put the two DNS servers back behind our firewall since they are much safer that way and not have all ports on these servers exposed to the wicked Internet.  This has created a catch-22 situation for us.  If we go back to using inside addresses and move them inside the firewall then Zonecheck won't be happy, and if we put them in a DMZ then Active Directory won't be happy with the mail and web server inside the firewall and the domain controllers outside - and the DNS servers outside will be fully exposed to the wicked Internet, and if we put some or all of the servers in a DMZ then some or all will be exposed to the wicked Internet.  

It would be great if we could somehow use the actual valid Internet addresses on these DNS servers behind the Pix firewall and have the Pix do some kind of a pass thru mode out to the Internet but I don't know if such a pass thru mode exists.  I thought about using 2 Cisco firewalls with a DMZ in the middle but I can't put a valid Internet address on the outside of the outside firewall and then put another address in the same subnet on the DMZ side of the same outside firewall (the Pix complains) - so that won't work.  I don't have any other ideas.  Is there a reasonable way to solve this?  Please help!!  :-)  Thanks a bunch!!
eAtlantaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ZuzzyCommented:
I have just done a test on my domains that are behind a Cisco Firewall Services Module, which is basically the same code as an ASA, and I don't get that.  DNS servers' IPs should not be leaked so that shouldn't be an issue, unless the name of the server itself is looked up in DNS.  Do you have a problem perhaps where the servers are hosting the zone with their own names in them, and servers are being queried for their own name and are returning their own internal IP.  Its possible you need to configure your DNS with 'split horizon', a mechanism where you get different replies based on the source IP of the query, so when queried from the Internet it returns its Internet IP.  Hope this helps --Chris
PS Turn DNS fixup off on your ASA or you will get a lot of DNS lookup failures
0
MikeKaneCommented:
I use an authoritative name server behind an ASA 5520.  I just ran the check you mentioned and had no issues.  

So I would begin by checking the state of the DNS inspection policy.  

In the ASA, check under the :
   policy-map global_policy
          class inspection_default

You probably have an "inspect dns" entry.   Remove it and test again.  


0
eAtlantaAuthor Commented:
No change with this.  Zonecheck still sees the internal address.  I was looking at another article on Expects Exchange and it mentioned something called DNS Doctoring and Hairpinning.  Does anyone know if either of these would work?  Thanks for the tip on DNS Fixup!  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

MikeKaneCommented:
DNS Doctoring is more like a policy based routing solution.   The ASA will rewrite the return DNS packet with the correct NAT'd IP depending on where the originating request comes from.   Its an attempt to do away with the need to run a split DNS solution.    

http://www9.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml


DNS hairpinning is slightly different where the end result is to deliver an IP to the end user, however, hairpinning does not rewrite the dns packet....  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eAtlantaAuthor Commented:
OK it turned out to be easy to fix using DNS doctoring.  I guess everything is easy when you know how.  I changed my static lines and added dns to the end of them like below.  Then added all of the policy lines below.  I had to remove the default policy map as these below replace it.  Life is good, I can leave my inside addresses on my DNS servers and the Cisco firewall "doctors" them to make them look like they are originating from the outside address.  Zonecheck is happy and my Active Directory stays happy.  Thanks a bunch for pointing my to the right Cisco document.  

static (inside,outside) 69.xxx.yyy.5 10.9.10.5 netmask 255.255.255.255 dns
static (inside,outside) 69.xxx.yyy.6 10.9.10.6 netmask 255.255.255.255 dns

policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default
  inspect dns MY_DNS_INSPECT_MAP

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
0
eAtlantaAuthor Commented:
Pointed me to the right place.  Had to pull the commands I needed from the Cisco docu.  Thanks!
0
ZuzzyCommented:
NB: you may find now that your external lookups fail, this DNS fixup does strange things with DNS *servers* and I find causes lots of lookup failures
0
eAtlantaAuthor Commented:
So are the strange things happening with or without the DNS fixup in your config?  Did removing it fix those strange things from happening?
0
ZuzzyCommented:
DNS fixup, among other things, closes the conduit (the term for the underlying 'pipe' created within the ASA system to allow the traffic once the first packet is matched with the rule, its what makes the PIX/ASA/FWSM family stateful) once the DNS reply is sent to the user.  It is meant actually for the other way round, so if you have thousands of users doing DNS lookups your firewall is not riddled with hidden holes while the UDP session times itself out, so using resources and allowing potential outside attackers to utilise the holes to send packets to the user.  But when you have a server behind an ASA with fixup on it does not distinguish, so recursive lookups and multiple lookups from one big DNS "client"  user (like a proxy) can be dropped, so making the client retry/reconnect.  This can make a delay as the first lookup times out and the second is attempted.

Just watch for any complaints about response time, it may well be OK for you as your DNS passing through the firewall is to look up A records, and not providing general DNS lookups to users, thus each request ends with a reply and fixup is happy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.