enabling nslookups via rules - help

whiteford — Mon, 11 Mar 2019 09:14:13 GMT

I can't do nslookups through our pix from my PC, what do I need to do?

Re: enabling nslookups via rules - help

scottmac — Sat, 30 Dec 2006 15:25:17 GMT

What error are you getting?

Have you tried specifiying a specific DNS to query? Internal or external?

Have you tried "dig"? "dig" is not available on MS Windows, but can be downloaded. It is the "new nslookup" and gives more/better information.

Let us know

Scott

Re: enabling nslookups via rules - help

whiteford — Sat, 30 Dec 2006 15:33:58 GMT

sorry it's nslookups to external Internet addresses like www.google.com. Internal is fine, so I believe it must be a Pix rule I need to create?

Re: enabling nslookups via rules - help

scottmac — Sat, 30 Dec 2006 19:13:55 GMT

It may be the configuration of your internal DNS.

By default, nslookup will use the DNS defined for that PC. IF that DNS doesn't have the record (either defined or cached), it should kick it up to the next level of DNS.

You can specify a specific DNS to use:

Commands: (identifiers are shown in uppercase, [] means optional)

NAME - print info about the host/domain NAME using default server

NAME1 NAME2 - as above, but use NAME2 as server

help or ? - print info on common commands

set OPTION - set an option

all - print options, current server and host

[no]debug - print debugging information

[no]d2 - print exhaustive debugging information

[no]defname - append domain name to each query

[no]recurse - ask for recursive answer to query

[no]search - use domain search list

[no]vc - always use a virtual circuit

domain=NAME - set default domain name to NAME

srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.

root=NAME - set root server to NAME

retry=X - set number of retries to X

timeout=X - set initial time-out interval to X seconds

type=X - set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)

querytype=X - same as type

class=X - set query class (ex. IN (Internet), ANY)

[no]msxfr - use MS fast zone transfer

ixfrver=X - current version to use in IXFR transfer request

server NAME - set default server to NAME, using current default server

lserver NAME - set default server to NAME, using initial server

finger [USER] - finger the optional NAME at the current default host

root - set current default server to the root

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

-a - list canonical names and aliases

-d - list all records

-t TYPE - list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

view FILE - sort an 'ls' output file and view it with pg

exit - exit the program

You can get the above list by just entering "nslookup" at the command prompt.

nslookup uses the same port(s) as DNS to get through the firewall, so if an external query (like www.google.com) works, nslookup should work too (unless specifically restricted to the internal DNS as a source address in some access-list).

Try using the DNS of your home ISP (or other DNS that exists outside of your network - use the "name2" option, like nslookup www.google.com ).

Good Luck

Scott

Re: enabling nslookups via rules - help

whiteford — Sat, 30 Dec 2006 20:10:30 GMT

thing is I can resolve internet pages fine, if I do ping www.google.com it comes back with the IP, but nslookup won't, just isn't my area of knowledge here.

topic enabling nslookups via rules - help in Network Security

enabling nslookups via rules - help

Re: enabling nslookups via rules - help

Re: enabling nslookups via rules - help

Re: enabling nslookups via rules - help

Re: enabling nslookups via rules - help