DNS queries through PIX are translated??

[nix45]

We have a PIX 515 that is NAT'ing the public IP address (1.2.3.4) of a web server (

http://www.foo.org)

to its internal IP (192.0.30.10). Our DNS server is located on the 192.0.1.0 subnet. The DNS server goes through the PIX to get out on the Internet and it forwards any DNS requests to our ISP's name servers. For some reason, our DNS server is resolving

http://www.foo.org

to its internal IP address (192.0.30.10) when it should resolve to its external (1.2.3.4). Its getting this address from our ISP's DNS servers somehow. Is it possible that the PIX is converting anything, including DNS queries, that says 1.2.3.4 to 192.0.30.10 because of NAT? I set up a separate BIND server behind the PIX for testing purposes. I set the server up to forward all requests to an external name server. This server is doing the same exact thing, where its resolving

http://www.foo.org

to its private IP, when it should resolve to the public IP.

Here's our network topology...

Internet
|
|
1.2.3.10
PIX 515
192.0.30.1
|
|
switch -----Web Server 192.0.30.10
|
|
192.0.30.3
Cisco 2621 router
192.0.1.21
|
|
switch -------DNS server 192.0.1.177


Thanks,
ChrisP

 

[tbissett]

There is a command in the PIX that can make it do what you may be seeing. Do a "show alias" and look to see if there are any alias commands.

Here's a doc about what the alias command does:

http://www.cisco.com/warp/public/110/alias.html

Before you go changing it,however, take note: If you want your internal users to access

http://www.foo.org,

they will have to access it by it's internal IP and not it's external. This is because the PIX does not allow traffic to arrive and depart on the same interface (this is a reason why Cisco created the alias command in the first place).

The best setup is to run a split DNS. Your internal DNS resolves to the private IP. Your ISP DNS resolves to the public IP. this sounds somewhat like what you have now.

 

[nix45]

I actually was reading about "DNS Doctoring" and the "alias" command before I submitted this post. We don't have any alias commands in our config, but its acting as if we do.

I don't want internal users to be able to access the webserver at all, I just want our internal DNS servers to resolve the web server to the correct public IP address. It seems as though the PIX is already doing DNS Doctoring, even though I don't have any alias commands in the config.

Our webserver is part of the foo.org domain, but our internal name servers host the foo.com domain. If I can't stop the PIX from doing this, I'll just have to set up a zone file for foo.org and include the correct host record for the web server.

Chris

 

[tbissett]

Hmmm... I have never seen a PIX do anything like that out of the box... It's definitely not a "feature" of the NAT command... I suppose you are, but just in case, are you SURE there is not some zone file or config in /etc/named.conf for foo.org on your internal DNS server?

 

[nix45]

Yes, I'm sure. Just to be extra sure, I took a Red Hat box, installed BIND on it, and forwarded all DNS queries to an external name server and I still got the same thing.

Chris

 

[tbissett]

Wow... Now I'm really intrigued Post the contents of an nslookup session, just for kicks

 

[tbissett]

Just realized you may not want to do that in this forum... I'd psot my E-mail, but, well you know what happens when that happens. Only other thing I can think is the ISP has the wrong IP address. Never have I seen the PIX do that, though.

 

[nix45]

Its definitly the PIX. Here's the output of nslookup from my internal BIND server...

[root@rh90 root]# nslookup
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
>

http://www.foo.org

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name:

http://www.foo.org

Address: 192.0.30.10
>



On my real name server, I decided to just set up a zone file for foo.org to "fix" the problem. It works fine this way, but I just don't understand why its happening in the first place.

I contacted Cisco TAC and sent them my config and they don't know whats going on either.


Chris

 

[nix45]

If you want real proof, I'll show you the output of nslookup directly querying a public name server. The public name server will return my private IP, but if you do it from wherever you are, it will show the correct public IP. I don't want to post it here because I'll have to give out my real domain name.

If you want to see it, email me through my FAQ here...

http://www.tek-tips.com/faqs.cfm?spid=48&sfid=3880

 

[nix45]

FYI - I contacted Cisco TAC about this problem and they think its a bug in the 6.3.1 software. Here's what they said...

"Well I think I found a bug related:

CSCea70434

DNS responses passing through a 6.3(1) PIX are translated to the internal
address if a correlating static exists. This is seen regardless of whether
or not the 'dns' keyword is used in the static.

The workarround would be going back to 6.2(2). The bug tool says that it is fixed in 6.3(2) but I am not sure about that."


Chris

 

[normntwrk]

I have 6.3(1) and it does the same thing (transfers internal addresses to external DNS servers). We ended up stopping the transfers and use our ISP for our external DNS addresses and internal DNS servers fro internal addresses

Norm