Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Simple DNS question 1

Status
Not open for further replies.
yowza

yowza

Technical User
Nov 28, 2001
121
US
Our customer will not allow us to set up a DNS server on the inside. We have 4 servers behind the Pix that need DNS, primarily for reverse lookups. When I allow access to the Primary and Secondary DNS servers outside of the Pix everything seems to work ok except I see our servers requesting connections to quite a few other DNS servers out there; not just to the 2 DNS servers. To get rid of the other messages in the log, I set the servers up with the following:

access-list acl_inside permit udp any any eq domain

My thinking (which is probably a mistake) was that our servers would only request DNS using the Primary & Secondary DNS entries that are configured on that server. Replies coming back in would automatically be allowed. Is this statement ok or am I opening up a bunch of holes? Is there a better way to do this?

Any help/suggestions would be appreciated.
Thanks,
yowza
 
Sort by date Sort by votes
HI.

> Our customer will not allow us to set up a DNS server on the inside.
The DNS servers hosting the client domain should be at ISP in most cases, but setting up a caching only DNS server which will forward to the ISP servers could be a good idea.
Did you suggest this solution (caching only + forward) to the client?

The DNS behavior of the servers is dependant not only on their TCPIP configuration, but also is OS dependant, and some applications (like mail and web servers) have application settings overriding OS configuration for DNS, including a built in DNS resolver at the application.
So - check both OS and application configuration at the servers.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the response Yizhar. No, I didn't suggest caching only + forward because I don't know what it is:)) I will look into it.
Meanwhile, is the
access-list acl_inside permit udp any any eq domain

ok or would it be better to just restrict the hosts access only to the Prim and Secondary DNS servers?

Thanks again!,
yowza
 
Upvote 0 Downvote
HI.

> access-list acl_inside permit udp any any eq domain
> or would it be better to just restrict the hosts access only to the Prim and Secondary DNS servers?

Either option should be fine, but you should check and verify this in the field.

As you already have done - continue to use syslog messages (I recommend level 4 for that task) and check the logs to see if the pix is blocking any traffic generated from your servers.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
611
intel233
intel233
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
147
burtsbees
burtsbees
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
159
ChrisHirst
ChrisHirst
RodneyMcSnow
  • Locked
  • Question
TZ400 -how to prevent dns attacks
Replies
2
Views
137
RodneyMcSnow
RodneyMcSnow
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
128
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top