Unable to make DNS requests from inside the DMZ

Discussion in 'Cisco' started by Chris, Mar 15, 2007.

  1. Chris

    Chris Guest

    I inherited a LAN with a not-very-well documented DMZ. My DNS server
    is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
    default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
    client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
    is a 525 runnign PIX OS 6.3(5).

    In order for the DMZ client to be able to access HTTP and DNS ports on
    the DNS server, I have the following ACL rules in place:

    access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
    access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
    domain
    access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
    domain
    static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
    255.255.255.255 0 0
    static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
    netmask 255.255.255.255 0 0
    static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
    netmask 255.255.255.255 0 0

    I have both UDP & TCP permitted on port 53, so DNS requests from the
    DMZ to Inside should work. But they don't seem to! HTTP requests from
    the DMZ ot Inside function correctly. Interestingly, I can telnet to
    the DNS port on the server from the DMZ, I just can't actually make
    requests. Like so:

    $ telnet 172.30.1.159 53
    Trying 172.30.1.159...
    Connected to 172.30.1.159.
    Escape character is '^]'.
    AS<KDJASKLDJAKLSDJKLASJDASD
    ^]
    telnet> quit
    Connection to 172.30.1.159 closed.

    $ nslookup
    *** Can't find server name for address 172.30.1.159: Non-existent host/
    domain
    *** Default servers are not available

    Am I missing something obvious here? The PIX has fixup enabled for
    both HTTP and DNS. I've tried enabling the "listen-on" option on the
    BIND server (v8), but to no avail.

    Thanks,


    Chris
     
    Chris, Mar 15, 2007
    #1
    1. Advertisements

  2. Chris

    Trendkill Guest

    Why do you have 172.30.1.159 in your static route configs? I didn't
    see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
    Forgive me if its a dumb question, not an expert when it comes to
    PIX.....
     
    Trendkill, Mar 15, 2007
    #2
    1. Advertisements

  3. Chris

    Chris Guest

    I'm not sure why this was set up the way it was in the first place,
    but the way I see it is that 172.16.1.159 is the "inside" IP for a
    server, and 172.30.1.159 is it's "virtual" DMZ IP for the same server.
    I can add new ACLs and statics to get other services working (e.g.
    FTP), just not DNS...


    Chris
     
    Chris, Mar 15, 2007
    #3
  4. Chris

    Trendkill Guest

    It looks to me from the error that is has something to do with the
    local box. See this post on another forum related to reverse zone
    lookups. It does not look like a pix/routing issue to me.

    http://www.pcreview.co.uk/forums/thread-1473940.php
     
    Trendkill, Mar 15, 2007
    #4
  5. Chris

    Trendkill Guest

    Here is another link re: sun since it looks like you are running nix.

    http://www.clip.dia.fi.upm.es/~alopez/solaris/sun-managers7/0074.html
     
    Trendkill, Mar 15, 2007
    #5
  6. Chris

    Chris Guest

    Thanks -- that was a little help, but it's not 100% solved yet :)

    Here's the output of nslookup -d2:

    [[email protected] etc]# nslookup -d2 172.30.1.30
    ;; res_nmkquery(QUERY, 30.1.30.172.in-addr.arpa, IN, PTR)
    ------------
    SendRequest(), len 42
    HEADER:
    opcode = QUERY, id = 20404, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0,
    additional = 0

    QUESTIONS:
    30.1.30.172.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (138 bytes):
    HEADER:
    opcode = QUERY, id = 20404, rcode = NXDOMAIN
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 1,
    additional = 0

    QUESTIONS:
    30.1.30.172.in-addr.arpa, type = PTR, class = IN
    AUTHORITY RECORDS:
    -> 30.172.in-addr.arpa
    type = SOA, class = IN, dlen = 65
    ttl = 10791 (10791)
    origin = prisoner.iana.org
    mail addr = hostmaster.root-servers.org
    serial = 2002040800
    refresh = 1800 (30M)
    retry = 900 (15M)
    expire = 604800 (1W)
    minimum ttl = 604800 (1W)

    ------------
    *** Can't find server name for address 172.30.1.30: Non-existent host/
    domain
    *** Default servers are not available

    So, the connection is clearly getting to the DNS server, it's just
    rejecting it for some reason. But *why*?


    Chris
     
    Chris, Mar 15, 2007
    #6
  7. Chris

    Trendkill Guest

    Did you read the second link I sent? It specifically mentions
    something about the dns server not having a pointer record for
    itself. When the guy added one, everything worked. Check it out as
    I'm thinking this is where your problem is. Appreciate your patience
    with my non-flat out answers......I'm a router/switch guy so I'm not
    an expert with PIX or DNS configs.
     
    Trendkill, Mar 15, 2007
    #7
  8. Chris

    Chris Guest

    That ended up fixing it, thanks! The DNS server in question is
    actually deprecated in our environment, so I didn't notice that its
    configuration had a lot of errors -- including no PTR record to
    itself. Well, it had a PTR record for itself (i.e. it's regular
    172.16.1.159 address), just not for it's IP address as seen by the DMZ
    (172.30.1.159). Now it's going!

    Thanks again,


    Chris
     
    Chris, Mar 15, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.