Unable to make DNS requests from inside the DMZ

Discussion in 'Cisco' started by Chris, Mar 15, 2007.

  1. Chris

    Chris Guest

    I inherited a LAN with a not-very-well documented DMZ. My DNS server
    is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    is a 525 runnign PIX OS 6.3(5).

    In order for the DMZ client to be able to access HTTP and DNS ports on
    the DNS server, I have the following ACL rules in place:

    access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    domain
    access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    domain
    static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    255.255.255.255 0 0
    static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    netmask 255.255.255.255 0 0
    static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    netmask 255.255.255.255 0 0

    I have both UDP & TCP permitted on port 53, so DNS requests from the
    DMZ to Inside should work. But they don't seem to! HTTP requests from
    the DMZ ot Inside function correctly. Interestingly, I can telnet to
    the DNS port on the server from the DMZ, I just can't actually make
    requests. Like so:

    $ telnet 172.30.1.159 53
    Trying 172.30.1.159...
    Connected to 172.30.1.159.
    Escape character is '^]'.
    AS<KDJASKLDJAKLSDJKLASJDASD
    ^]
    telnet> quit
    Connection to 172.30.1.159 closed.

    $ nslookup
    *** Can't find server name for address 172.30.1.159: Non-existent host/
    domain
    *** Default servers are not available

    Am I missing something obvious here? The PIX has fixup enabled for
    both HTTP and DNS. I've tried enabling the "listen-on" option on the
    BIND server (v8), but to no avail.

    Thanks,


    Chris
     
    Chris, Mar 15, 2007
    #1
    1. Advertising

  2. Chris

    Trendkill Guest

    On Mar 15, 3:14 pm, "Chris" <> wrote:
    > I inherited a LAN with a not-very-well documented DMZ. My DNS server
    > is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    > default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    > client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    > is a 525 runnign PIX OS 6.3(5).
    >
    > In order for the DMZ client to be able to access HTTP and DNS ports on
    > the DNS server, I have the following ACL rules in place:
    >
    > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    > domain
    > access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    > domain
    > static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    > 255.255.255.255 0 0
    > static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    > netmask 255.255.255.255 0 0
    > static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    > netmask 255.255.255.255 0 0
    >
    > I have both UDP & TCP permitted on port 53, so DNS requests from the
    > DMZ to Inside should work. But they don't seem to! HTTP requests from
    > the DMZ ot Inside function correctly. Interestingly, I can telnet to
    > the DNS port on the server from the DMZ, I just can't actually make
    > requests. Like so:
    >
    > $ telnet 172.30.1.159 53
    > Trying 172.30.1.159...
    > Connected to 172.30.1.159.
    > Escape character is '^]'.
    > AS<KDJASKLDJAKLSDJKLASJDASD
    > ^]
    > telnet> quit
    > Connection to 172.30.1.159 closed.
    >
    > $ nslookup
    > *** Can't find server name for address 172.30.1.159: Non-existent host/
    > domain
    > *** Default servers are not available
    >
    > Am I missing something obvious here? The PIX has fixup enabled for
    > both HTTP and DNS. I've tried enabling the "listen-on" option on the
    > BIND server (v8), but to no avail.
    >
    > Thanks,
    >
    > Chris


    Why do you have 172.30.1.159 in your static route configs? I didn't
    see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
    Forgive me if its a dumb question, not an expert when it comes to
    PIX.....
     
    Trendkill, Mar 15, 2007
    #2
    1. Advertising

  3. Chris

    Chris Guest

    On Mar 15, 3:21 pm, "Trendkill" <> wrote:
    > On Mar 15, 3:14 pm, "Chris" <> wrote:
    >
    >
    >
    > > I inherited a LAN with a not-very-well documented DMZ. My DNS server
    > > is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    > > default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    > > client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    > > is a 525 runnign PIX OS 6.3(5).

    >
    > > In order for the DMZ client to be able to access HTTP and DNS ports on
    > > the DNS server, I have the following ACL rules in place:

    >
    > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    > > domain
    > > access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    > > domain
    > > static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    > > 255.255.255.255 0 0
    > > static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    > > netmask 255.255.255.255 0 0
    > > static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    > > netmask 255.255.255.255 0 0

    >
    > > I have both UDP & TCP permitted on port 53, so DNS requests from the
    > > DMZ to Inside should work. But they don't seem to! HTTP requests from
    > > the DMZ ot Inside function correctly. Interestingly, I can telnet to
    > > the DNS port on the server from the DMZ, I just can't actually make
    > > requests. Like so:

    >
    > > $ telnet 172.30.1.159 53
    > > Trying 172.30.1.159...
    > > Connected to 172.30.1.159.
    > > Escape character is '^]'.
    > > AS<KDJASKLDJAKLSDJKLASJDASD
    > > ^]
    > > telnet> quit
    > > Connection to 172.30.1.159 closed.

    >
    > > $ nslookup
    > > *** Can't find server name for address 172.30.1.159: Non-existent host/
    > > domain
    > > *** Default servers are not available

    >
    > > Am I missing something obvious here? The PIX has fixup enabled for
    > > both HTTP and DNS. I've tried enabling the "listen-on" option on the
    > > BIND server (v8), but to no avail.

    >
    > > Thanks,

    >
    > > Chris

    >
    > Why do you have 172.30.1.159 in your static route configs? I didn't
    > see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
    > Forgive me if its a dumb question, not an expert when it comes to
    > PIX.....


    I'm not sure why this was set up the way it was in the first place,
    but the way I see it is that 172.16.1.159 is the "inside" IP for a
    server, and 172.30.1.159 is it's "virtual" DMZ IP for the same server.
    I can add new ACLs and statics to get other services working (e.g.
    FTP), just not DNS...


    Chris
     
    Chris, Mar 15, 2007
    #3
  4. Chris

    Trendkill Guest

    On Mar 15, 3:30 pm, "Chris" <> wrote:
    > On Mar 15, 3:21 pm, "Trendkill" <> wrote:
    >
    >
    >
    > > On Mar 15, 3:14 pm, "Chris" <> wrote:

    >
    > > > I inherited a LAN with a not-very-well documented DMZ. My DNS server
    > > > is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    > > > default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    > > > client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    > > > is a 525 runnign PIX OS 6.3(5).

    >
    > > > In order for the DMZ client to be able to access HTTP and DNS ports on
    > > > the DNS server, I have the following ACL rules in place:

    >
    > > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    > > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    > > > domain
    > > > access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    > > > domain
    > > > static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    > > > 255.255.255.255 0 0
    > > > static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    > > > netmask 255.255.255.255 0 0
    > > > static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    > > > netmask 255.255.255.255 0 0

    >
    > > > I have both UDP & TCP permitted on port 53, so DNS requests from the
    > > > DMZ to Inside should work. But they don't seem to! HTTP requests from
    > > > the DMZ ot Inside function correctly. Interestingly, I can telnet to
    > > > the DNS port on the server from the DMZ, I just can't actually make
    > > > requests. Like so:

    >
    > > > $ telnet 172.30.1.159 53
    > > > Trying 172.30.1.159...
    > > > Connected to 172.30.1.159.
    > > > Escape character is '^]'.
    > > > AS<KDJASKLDJAKLSDJKLASJDASD
    > > > ^]
    > > > telnet> quit
    > > > Connection to 172.30.1.159 closed.

    >
    > > > $ nslookup
    > > > *** Can't find server name for address 172.30.1.159: Non-existent host/
    > > > domain
    > > > *** Default servers are not available

    >
    > > > Am I missing something obvious here? The PIX has fixup enabled for
    > > > both HTTP and DNS. I've tried enabling the "listen-on" option on the
    > > > BIND server (v8), but to no avail.

    >
    > > > Thanks,

    >
    > > > Chris

    >
    > > Why do you have 172.30.1.159 in your static route configs? I didn't
    > > see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
    > > Forgive me if its a dumb question, not an expert when it comes to
    > > PIX.....

    >
    > I'm not sure why this was set up the way it was in the first place,
    > but the way I see it is that 172.16.1.159 is the "inside" IP for a
    > server, and 172.30.1.159 is it's "virtual" DMZ IP for the same server.
    > I can add new ACLs and statics to get other services working (e.g.
    > FTP), just not DNS...
    >
    > Chris


    It looks to me from the error that is has something to do with the
    local box. See this post on another forum related to reverse zone
    lookups. It does not look like a pix/routing issue to me.

    http://www.pcreview.co.uk/forums/thread-1473940.php
     
    Trendkill, Mar 15, 2007
    #4
  5. Chris

    Trendkill Guest

    On Mar 15, 3:43 pm, "Trendkill" <> wrote:
    > On Mar 15, 3:30 pm, "Chris" <> wrote:
    >
    >
    >
    > > On Mar 15, 3:21 pm, "Trendkill" <> wrote:

    >
    > > > On Mar 15, 3:14 pm, "Chris" <> wrote:

    >
    > > > > I inherited a LAN with a not-very-well documented DMZ. My DNS server
    > > > > is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    > > > > default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    > > > > client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    > > > > is a 525 runnign PIX OS 6.3(5).

    >
    > > > > In order for the DMZ client to be able to access HTTP and DNS ports on
    > > > > the DNS server, I have the following ACL rules in place:

    >
    > > > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    > > > > access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    > > > > domain
    > > > > access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    > > > > domain
    > > > > static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    > > > > 255.255.255.255 0 0
    > > > > static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    > > > > netmask 255.255.255.255 0 0
    > > > > static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    > > > > netmask 255.255.255.255 0 0

    >
    > > > > I have both UDP & TCP permitted on port 53, so DNS requests from the
    > > > > DMZ to Inside should work. But they don't seem to! HTTP requests from
    > > > > the DMZ ot Inside function correctly. Interestingly, I can telnet to
    > > > > the DNS port on the server from the DMZ, I just can't actually make
    > > > > requests. Like so:

    >
    > > > > $ telnet 172.30.1.159 53
    > > > > Trying 172.30.1.159...
    > > > > Connected to 172.30.1.159.
    > > > > Escape character is '^]'.
    > > > > AS<KDJASKLDJAKLSDJKLASJDASD
    > > > > ^]
    > > > > telnet> quit
    > > > > Connection to 172.30.1.159 closed.

    >
    > > > > $ nslookup
    > > > > *** Can't find server name for address 172.30.1.159: Non-existent host/
    > > > > domain
    > > > > *** Default servers are not available

    >
    > > > > Am I missing something obvious here? The PIX has fixup enabled for
    > > > > both HTTP and DNS. I've tried enabling the "listen-on" option on the
    > > > > BIND server (v8), but to no avail.

    >
    > > > > Thanks,

    >
    > > > > Chris

    >
    > > > Why do you have 172.30.1.159 in your static route configs? I didn't
    > > > see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
    > > > Forgive me if its a dumb question, not an expert when it comes to
    > > > PIX.....

    >
    > > I'm not sure why this was set up the way it was in the first place,
    > > but the way I see it is that 172.16.1.159 is the "inside" IP for a
    > > server, and 172.30.1.159 is it's "virtual" DMZ IP for the same server.
    > > I can add new ACLs and statics to get other services working (e.g.
    > > FTP), just not DNS...

    >
    > > Chris

    >
    > It looks to me from the error that is has something to do with the
    > local box. See this post on another forum related to reverse zone
    > lookups. It does not look like a pix/routing issue to me.
    >
    > http://www.pcreview.co.uk/forums/thread-1473940.php


    Here is another link re: sun since it looks like you are running nix.

    http://www.clip.dia.fi.upm.es/~alopez/solaris/sun-managers7/0074.html
     
    Trendkill, Mar 15, 2007
    #5
  6. Chris

    Chris Guest

    On Mar 15, 3:43 pm, "Trendkill" <> wrote:
    > It looks to me from the error that is has something to do with the
    > local box. See this post on another forum related to reverse zone
    > lookups. It does not look like a pix/routing issue to me.
    >
    > http://www.pcreview.co.uk/forums/thread-1473940.php


    Thanks -- that was a little help, but it's not 100% solved yet :)

    Here's the output of nslookup -d2:

    [root@pphweb1 etc]# nslookup -d2 172.30.1.30
    ;; res_nmkquery(QUERY, 30.1.30.172.in-addr.arpa, IN, PTR)
    ------------
    SendRequest(), len 42
    HEADER:
    opcode = QUERY, id = 20404, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0,
    additional = 0

    QUESTIONS:
    30.1.30.172.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (138 bytes):
    HEADER:
    opcode = QUERY, id = 20404, rcode = NXDOMAIN
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 1,
    additional = 0

    QUESTIONS:
    30.1.30.172.in-addr.arpa, type = PTR, class = IN
    AUTHORITY RECORDS:
    -> 30.172.in-addr.arpa
    type = SOA, class = IN, dlen = 65
    ttl = 10791 (10791)
    origin = prisoner.iana.org
    mail addr = hostmaster.root-servers.org
    serial = 2002040800
    refresh = 1800 (30M)
    retry = 900 (15M)
    expire = 604800 (1W)
    minimum ttl = 604800 (1W)

    ------------
    *** Can't find server name for address 172.30.1.30: Non-existent host/
    domain
    *** Default servers are not available

    So, the connection is clearly getting to the DNS server, it's just
    rejecting it for some reason. But *why*?


    Chris
     
    Chris, Mar 15, 2007
    #6
  7. Chris

    Trendkill Guest

    On Mar 15, 4:28 pm, "Chris" <> wrote:
    > On Mar 15, 3:43 pm, "Trendkill" <> wrote:
    >
    > > It looks to me from the error that is has something to do with the
    > > local box. See this post on another forum related to reverse zone
    > > lookups. It does not look like a pix/routing issue to me.

    >
    > >http://www.pcreview.co.uk/forums/thread-1473940.php

    >
    > Thanks -- that was a little help, but it's not 100% solved yet :)
    >
    > Here's the output of nslookup -d2:
    >
    > [root@pphweb1 etc]# nslookup -d2 172.30.1.30
    > ;; res_nmkquery(QUERY, 30.1.30.172.in-addr.arpa, IN, PTR)
    > ------------
    > SendRequest(), len 42
    > HEADER:
    > opcode = QUERY, id = 20404, rcode = NOERROR
    > header flags: query, want recursion
    > questions = 1, answers = 0, authority records = 0,
    > additional = 0
    >
    > QUESTIONS:
    > 30.1.30.172.in-addr.arpa, type = PTR, class = IN
    >
    > ------------
    > ------------
    > Got answer (138 bytes):
    > HEADER:
    > opcode = QUERY, id = 20404, rcode = NXDOMAIN
    > header flags: response, want recursion, recursion avail.
    > questions = 1, answers = 0, authority records = 1,
    > additional = 0
    >
    > QUESTIONS:
    > 30.1.30.172.in-addr.arpa, type = PTR, class = IN
    > AUTHORITY RECORDS:
    > -> 30.172.in-addr.arpa
    > type = SOA, class = IN, dlen = 65
    > ttl = 10791 (10791)
    > origin = prisoner.iana.org
    > mail addr = hostmaster.root-servers.org
    > serial = 2002040800
    > refresh = 1800 (30M)
    > retry = 900 (15M)
    > expire = 604800 (1W)
    > minimum ttl = 604800 (1W)
    >
    > ------------
    > *** Can't find server name for address 172.30.1.30: Non-existent host/
    > domain
    > *** Default servers are not available
    >
    > So, the connection is clearly getting to the DNS server, it's just
    > rejecting it for some reason. But *why*?
    >
    > Chris


    Did you read the second link I sent? It specifically mentions
    something about the dns server not having a pointer record for
    itself. When the guy added one, everything worked. Check it out as
    I'm thinking this is where your problem is. Appreciate your patience
    with my non-flat out answers......I'm a router/switch guy so I'm not
    an expert with PIX or DNS configs.
     
    Trendkill, Mar 15, 2007
    #7
  8. Chris

    Chris Guest

    On Mar 15, 4:35 pm, "Trendkill" <> wrote:
    > On Mar 15, 4:28 pm, "Chris" <> wrote:
    >
    >
    >
    > > On Mar 15, 3:43 pm, "Trendkill" <> wrote:

    >
    > > > It looks to me from the error that is has something to do with the
    > > > local box. See this post on another forum related to reverse zone
    > > > lookups. It does not look like a pix/routing issue to me.

    >
    > > >http://www.pcreview.co.uk/forums/thread-1473940.php

    >
    > > Thanks -- that was a little help, but it's not 100% solved yet :)

    >
    > > Here's the output of nslookup -d2:

    >
    > > [root@pphweb1 etc]# nslookup -d2 172.30.1.30
    > > ;; res_nmkquery(QUERY, 30.1.30.172.in-addr.arpa, IN, PTR)
    > > ------------
    > > SendRequest(), len 42
    > > HEADER:
    > > opcode = QUERY, id = 20404, rcode = NOERROR
    > > header flags: query, want recursion
    > > questions = 1, answers = 0, authority records = 0,
    > > additional = 0

    >
    > > QUESTIONS:
    > > 30.1.30.172.in-addr.arpa, type = PTR, class = IN

    >
    > > ------------
    > > ------------
    > > Got answer (138 bytes):
    > > HEADER:
    > > opcode = QUERY, id = 20404, rcode = NXDOMAIN
    > > header flags: response, want recursion, recursion avail.
    > > questions = 1, answers = 0, authority records = 1,
    > > additional = 0

    >
    > > QUESTIONS:
    > > 30.1.30.172.in-addr.arpa, type = PTR, class = IN
    > > AUTHORITY RECORDS:
    > > -> 30.172.in-addr.arpa
    > > type = SOA, class = IN, dlen = 65
    > > ttl = 10791 (10791)
    > > origin = prisoner.iana.org
    > > mail addr = hostmaster.root-servers.org
    > > serial = 2002040800
    > > refresh = 1800 (30M)
    > > retry = 900 (15M)
    > > expire = 604800 (1W)
    > > minimum ttl = 604800 (1W)

    >
    > > ------------
    > > *** Can't find server name for address 172.30.1.30: Non-existent host/
    > > domain
    > > *** Default servers are not available

    >
    > > So, the connection is clearly getting to the DNS server, it's just
    > > rejecting it for some reason. But *why*?

    >
    > > Chris

    >
    > Did you read the second link I sent? It specifically mentions
    > something about the dns server not having a pointer record for
    > itself. When the guy added one, everything worked. Check it out as
    > I'm thinking this is where your problem is. Appreciate your patience
    > with my non-flat out answers......I'm a router/switch guy so I'm not
    > an expert with PIX or DNS configs.


    That ended up fixing it, thanks! The DNS server in question is
    actually deprecated in our environment, so I didn't notice that its
    configuration had a lot of errors -- including no PTR record to
    itself. Well, it had a PTR record for itself (i.e. it's regular
    172.16.1.159 address), just not for it's IP address as seen by the DMZ
    (172.30.1.159). Now it's going!

    Thanks again,


    Chris
     
    Chris, Mar 15, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tuhin

    DNS inside DMZ

    Tuhin, Sep 30, 2005, in forum: Cisco
    Replies:
    2
    Views:
    8,497
    Rod Dorman
    Sep 30, 2005
  2. Replies:
    1
    Views:
    1,069
    Rohan
    Nov 18, 2006
  3. morten
    Replies:
    4
    Views:
    1,230
    Tilman Schmidt
    Sep 4, 2007
  4. Jack
    Replies:
    0
    Views:
    679
  5. Park City

    DNS inside the DMZ on an 877

    Park City, Jan 1, 2008, in forum: Cisco
    Replies:
    1
    Views:
    550
    Network Blackjack
    Jan 2, 2008
Loading...

Share This Page