Cisco PIX 501 - How To Disable DNS Translation?

Discussion in 'Cisco' started by KipBond, Jan 26, 2007.

  1. KipBond

    KipBond Guest

    I finally realized that my Cisco PIX 501 firewall was responsible for
    returning the internal (private) IP addresses when querying my external
    (public) DNS server. So, how can I disable that?

    Cisco PIX Firewall Version 6.3(1)
    Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

    I found the "DNS Rewrite" options in the translation rules. They were
    "Yes", so I set them all to "No" (then Applied the settings of course).
    The DNS "A" records are still being translated though. I did notice
    that it only translates UDP DNS queries, so if I force a TCP query, it
    doesn't get translated.

    Anyway, how can I completely disable the DNS translation?

    Thanks,
    -- Kip
    KipBond, Jan 26, 2007
    #1
    1. Advertising

  2. * KipBond wrote:
    > Anyway, how can I completely disable the DNS translation?


    no fixup dns.

    You should not do this, the pix is aware that you try to connect to the
    outside alias of an internal IP which is not reachable from inside. That's
    why the PIX translates this IP to the internal real one in order to fullfill
    your connection request.

    The observation, that the pix does not translate TCP queries should be
    considered as a bug. Please submit a bug report.
    Lutz Donnerhacke, Jan 26, 2007
    #2
    1. Advertising

  3. In article <>,
    KipBond <> wrote:
    >I finally realized that my Cisco PIX 501 firewall was responsible for
    >returning the internal (private) IP addresses when querying my external
    >(public) DNS server. So, how can I disable that?


    It is off by default.

    >Cisco PIX Firewall Version 6.3(1)


    There are known security problems in 6.3(1), 6.3(3), 6.3(4), 6.3(5)
    and a bad bug in 6.3(2). You should update to 6.3(5)112, which
    is a free update (as long as you are the registered owner of the device.)

    >Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz


    >I found the "DNS Rewrite" options in the translation rules. They were
    >"Yes", so I set them all to "No" (then Applied the settings of course).
    > The DNS "A" records are still being translated though.


    Did you "clear xlate" afterwards?

    The PIX only does DNS translation for statics that have the "dns"
    keyword on them -- unless, that is, you are using the deprecated
    "alias" command (which would not be permited by PDM, and you are
    obviously using PDM.) Look at your actual configuration (in text),
    not at the PDM-mangled version of it.

    >I did notice
    >that it only translates UDP DNS queries, so if I force a TCP query, it
    >doesn't get translated.


    >Anyway, how can I completely disable the DNS translation?


    Who is it returning the internal addresses -to- ? If someone
    outside is querying your external DNS server then your PIX is not
    involved in the process, so if they are getting your private IPs it
    isn't the fault of the PIX. If someone inside is querying your external
    DNS server and is *not* getting your internal IPs returned, then you
    are going to have trouble reaching your own hosts, so you -want- DNS
    translation turned on. The only reason I can think of to disable
    the DNS translation would be if internally you are using a public IP
    block that does not belong to you, and you need to also talk to the
    machines that are rightfully in that IP block.

    But if you really want to disable the DNS translation (and it
    does not sound right that you would want to), then turn off the DNS
    fixup. But before you do that, upgrade your PIX OS version: you
    are living with insecurity and old bugs that have already been fixed.
    Walter Roberson, Jan 26, 2007
    #3
  4. KipBond

    KipBond Guest

    > no fixup dns.

    wiggum(config)# no fixup dns
    wrong number of arguments supplied
    Usage: [no] fixup protocol <prot> [<option>] [<port>-<port>]

    wiggum(config)# no fixup protocol dns
    bad protocol dns
    Usage: [no] fixup protocol <prot> [<option>] [<port>-<port>]

    > You should not do this, the pix is aware that you try to connect to the
    > outside alias of an internal IP which is not reachable from inside. That's
    > why the PIX translates this IP to the internal real one in order to fullfill
    > your connection request.


    I have an internal DNS server that all clients point to. My external
    DNS server is only for external DNS requests. I query it directly from
    inside our LAN for troubleshooting purposes. I used to have to SSH to
    the external server to get the correct responses. I now figured out
    that I can do a TCP query instead of the default UDP query. But,
    surely there is a way to turn this off? I don't need it to be on.

    Thanks!
    -- Kip
    KipBond, Jan 26, 2007
    #4
  5. In article <>,
    KipBond <> wrote:
    >> no fixup dns.


    >wiggum(config)# no fixup protocol dns
    >bad protocol dns


    Like I said, you should upgrade past 6.3(1).
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn633.htm#wp110415

    new features in 6.3(2)
    [no] fixup protocol dns

    Note If DNS fixup is disabled, the Address record (A-record) is not
    NATed and the DNS ID is not matched in requests and responses.

    >I have an internal DNS server that all clients point to. My external
    >DNS server is only for external DNS requests. I query it directly from
    >inside our LAN for troubleshooting purposes.


    Well then if you get back the correct internal IP you know the DNS
    server was working properly, since you know you didn't prime the
    external DNS server with the internal IPs. If you get back the wrong
    internal IP then one way or another you have a problem you have to fix.
    Walter Roberson, Jan 26, 2007
    #5
  6. KipBond

    KipBond Guest

    >Like I said, you should upgrade past 6.3(1).http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63...
    >
    > new features in 6.3(2)
    > [no] fixup protocol dns


    Ahh. I'll upgrade during the next scheduled maintenance. Thanks!

    > Note If DNS fixup is disabled, the Address record (A-record) is not
    > NATed and the DNS ID is not matched in requests and responses.


    I don't want the A records NATed, I just want to see exactly what the
    name server responded with. What does matching the DNS ID in requests
    & responses do?

    > Well then if you get back the correct internal IP you know the DNS
    > server was working properly, since you know you didn't prime the
    > external DNS server with the internal IPs. If you get back the wrong
    > internal IP then one way or another you have a problem you have to fix.


    And what if the external DNS server is returning an internal IP address
    (when it should be returning an external IP address), and thus needs to
    be fixed? This is very possible if using "views" in BIND, for
    instance; or if someone just messed up entering the IPs in the external
    DNS server. If the correct internal IP is returned, I may *think* that
    it's because the PIX translated it, but in reality, the wrong IP was
    returned by the server.

    The best way to make sure that the external DNS server is returning the
    proper information, is for me to query it and make sure it's exactly as
    it should be. If the PIX is rewriting the returned information,
    troubleshooting is more difficult and possibly error-prone.

    -- Kip
    KipBond, Jan 26, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Hutchings
    Replies:
    6
    Views:
    4,977
  2. Andre
    Replies:
    7
    Views:
    658
    Andre
    Feb 20, 2005
  3. Replies:
    1
    Views:
    1,015
    Rohan
    Nov 18, 2006
  4. Replies:
    0
    Views:
    450
  5. sam.mattern
    Replies:
    0
    Views:
    2,130
    sam.mattern
    Jan 11, 2010
Loading...

Share This Page