Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS Craps Out behind PIX 6.2.2. Any ideas? 1

Status
Not open for further replies.
ilurec

ilurec

IS-IT--Management
Jun 17, 2003
2
US
I think I need an second, third, etc set of eyes on this issue.

In design, we have had our external DNS servers located in our DMZ poriton of PIX (three interfaces). With this implimentation, we have had no issues (WIN2K DNS).

With some business need changes and so forth, we moved the DNS from WIN2K to Red Hat Linux and BIND 9.x

After this move, we did no experience any issues for about a week and a half. Then it happened....

NO MORE DNS RESOLUTION!

According to PIX itself, it logged UDP traffic to port 53 with no issues. Checked the syslog, all looks good. Then we looked at the DNS traffic to DNS server...it was not getting any traffic at all, even though PIX said that it pushing it through.

In testing (and in tryong to get back up as the assumption was the DNS server and maybe a NIC issue) we put the WIN2K DNS server back into place...still no go..same symptoms.

With this, we placed the WIN2K DNS outside PIX and all was well, then we moved the Linux box out, and all was well. WITH NO CHANGES TO SERVER HARDWARE.

With that I defer to the expert crowd...I have opened a TAC case, but they stabbing in the dark on this one.

I have a static mapping for my DNS box normally, and an ACL that looks like this...but it has worked forever!

access-list outside_in permit udp any host {ip} eq domain

Cisco is telling me that there maybe an issue due to the fact that I have built an outbound filter for internal clients (to get rid of all the IM crap on my network). I do not buy into this as the filter been apart of the orginal config.

Any ideas?

ilurec



 
Sort by date Sort by votes
You're right: Don't buy the you-know-what about an inside filter. We have split DNS and it's working just fine. Have you tried putting some packet captures on the PIX interfaces? This might help verify that the traffic is indeed going to your DNS box. Here would be an example

To capture DNS traffic to your inside int:
access-list capture1 permit udp any host [dns-server] eq domain
capture dnsinside access-list capture1 interface inside

To capture traffic as it enters and leaves your DMZ int:
access-list capture2 permit udp any eq domain host [dns-server]
access-list capture2 permit udp host [dns-server] any eq domain
capture dnsdmz access-list capture2 interface dmz

Give that a try and see what you find
 
Upvote 0 Downvote
HI.

Try to maunaly set dmz NIC (in pix+switch+host) to 100full and another test with 10baset, does it make any difference?
Try with a crossover cable between pix dmz and DNS server (just temporarly for the test). Does it change anything?

Did you check if the DNS server can access the Internet (outbound connection)?

Check for IP fragmentation. Maybe an MTU issue?

Open telnet/ftp/http on the DNS server and in the pix ACL, then try with TCP connections - does TCP work? If not, trace the TCP handshake and status to get more info.

The "capture" command is good news for me - I didn't know it existed...

Take a look here in the field notice, maybe you have a hardware issue with the dmz NIC:


Yizhar Hurwitz
 
Upvote 0 Downvote
You can't set one rule for 3 different interfaces and not expect to run into problems.

If you've got DNS in your DMZ, and you're doing split DNS:

1. You have to let the DMZ hosts resolve DNS to someplace OUTSIDE of your network...that means on the internet somewhere.

access-list acl_DMZ permit udp host (DMZDNSserverIP) any eq domain
access-list acl_DMZ permit udp any host (DMZDNSserverIP) eq domain

2. You next have to let your inside hosts send/receive DNS queries from your DMZ hosts:

access-list acl_inside permit udp (internalnetworkIP) (internalnetworkmask) (DMZnetworkIP) (DMZnetworkmask) eq domain

3. If your DNS host is also resolving incoming requests from the internet from the DMZ, you need to have it mapped to a static external address:

static (DMZ,outside) (ExternalIPofDNS) (InternalIPofDNS) netmask 255.255.255.255 0 0

4. Whether 3 is true or not, you need to let the DMZ hosts resolve DNS for themselves as well as everyone else, internal or external:

access-list acl_DMZ permit udp any any eq domain

5. Lastly, you need to set a permission on the outside interface--specifically for the public IP address assigned to your DMZ DNS server--that lets any host query the DNS udp port:

access-list acl_outside permit udp any host (DMZDNSpublicaddress) eq domain


That's taken directly from our PIX. It lets you run split DNS effectively.

Of course, to do split DNS, you also need to make sure and have your DNS server set up correctly. Both the PIX and the DNS server must be set up correctly to make this happen.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
228
Sparrow4
Sparrow4
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
63
burtsbees
burtsbees
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
53
DROFNUD
DROFNUD
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
97
ChrisHirst
ChrisHirst
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top