Firewall as Default Gateway on DNS Server

[LiLAmy]

We recently switched the default gateway on our Windows 2000 DNS server to point to a Linux Freesco-based firewall as opposed to the router where it used to go. Since the change, the server will not resolve DNS queries for more than about 20 minutes or so. Yet it is still able to ping the IP's of the name servers it's setup to forward to after it stops resolving. The only way to get the DNS to work again is to either A restart the DNS Server service, or B Restart the firewall machine. Either option allows DNS resolution to work properly for about 20 more minutes before it stops working again. Since this is an unacceptable scenario we have reverted to using the router as the default gateway and everything again works fine as it used to.

Does anyone have an idea as to what the problem might be when using the firewall as the default gateway?

 

[LiLAmy]

somebody, anybody!!!

 

[sumaya]

my question is what are your clients gateway set to?

also what does pathping or tracert tell you about how you get out of the net from ypur dns server of clients?

also do you have recurrison enabled or disabled in your dns server?

 

[LiLAmy]

all the clients have been using, and continue to use the firewall as the gateway. the problem arose when re-configuring the DNS server's gateway to point to the firewall instead of going directly to the router.

recursion is enabled. as I said. the dns server resolves fine when the gateway is set to the router. but when it is set to the firewall, it stops resolving after about 20 minutes give or take. at that point, the only resolution is restarting the DNS service on the server, or restarting the firewall. OR changing the gateway back to the router.

pathping results from when the gateway is set to the firewall show it going through the firewall, to the router, and out... as i mentioned before. after dns stops resolving, i am STILL able to ping external world-routable IP's from the DNS server in question.

 

[snootalope]

Interesting.. It goes from your firewall AND THEN to your router.. hhmm..

Our firewall is the last hop before leaving.. I can use either the router or firewall as a default gateway because the router has static addresses set to forward DNS request to our ISP, same goes for the firewall of course..

So when it working properly, the first 20 minutes, you can resolve any address on the internet? Your not just trying pages that you might have in cache.. "tis better to be thought of as a fool then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[koquito]

do you know if Dns ports (53) are allowed to pass through the firewall? The fact that you can ping outside addresses, does not mean DNS shoudld work.
Check your access lists on that firewall, what ports are bolcked, etc. A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 

[LiLAmy]

your firewall is the last hop before going out to the world? that's strange... because the firewall should be between your router and your LAN... if your able to access your router directly as your default gateway that would suggest that any incoming traffic can go around your firewall and get directly to your LAN.

the router does not block outgoing traffic at all so DNS port 53 should not be a factor. but just to be sure, we actually disabled the firewall feature of the firewall, turning it just into a router, and continued to experience the same symptoms.

to answer your question, yes, in the first 20 minutes i am able to resolve domain names that have never been visited before, so they are not a product of cache.