topic Re: DNS in Network Security

DNS

anthony.dyne — Mon, 11 Mar 2019 19:29:17 GMT

What steps do I perform on ASA 5510 to enable LAN users to resolve external DNS, all intranet sites are resolved using local DNS Server running on Windows 2003 Server.

Best Wishes

Anthony

Re: DNS

mirober2 — Fri, 31 Dec 2010 18:39:51 GMT

Hi Anthony,

Can you clarify which traffic you're trying to allow through the ASA?

If I understand your question you are trying to allow your internal Windows 2003 DNS server to resolve external domains with servers on the Internet so that it can provide those answers to your internal clients? If that's correct and your DNS server is setup properly, it should only be a matter of allowing outbound UDP/53 access.

If you post a sanitized copy of your config and let us know what IP address the DNS server uses, we can give you a more specific answer. In general though, you'll need to make sure the ASA has at least the following configuration:

1. Translation: A NAT/PAT rule to translate the DNS server's internal/private IP to a publicly routable global IP

2. Route: A default route where all Internet-bound traffic will be sent

3. Permission: An access-list allowing outbound UDP/53 traffic (only if the security-level of the interface that protects the DNS server is lower than that of the Internet-facing interface)

Hope that helps.

-Mike

Re: DNS

anthony.dyne — Fri, 31 Dec 2010 18:59:43 GMT

Hi Mike

Your understanding is correct. Allow internal Windows 2003 DNS server to resolve external domains through the ASA.

Windows 2003 DNS Server IP - 172.24.1.100 255.255.255.0

ASA inside IP - 172.23.1.1

Switch IP - 172.23.1.2

We received 14 usable public ip address from service provider

Its a new setup and soon will require also

MS Exchange SMTP gateway traffic to be allowed from inside and outside
OWA traffic from outside
Internet Browsing traffic from inside to outside

thanks

Re: DNS

mirober2 — Fri, 31 Dec 2010 19:04:18 GMT

Hi Anthony,

Thanks for clarifying. In that case, you'll need a config similar to this:

Assumptions:
Internal interface that protects DNS server = inside
External/Internet-facing interface = outside
DNS Server's public IP = A.B.C.D
static (inside,outside) A.B.C.D 172.24.1.100 netmask 255.255.255.255
access-list outside_access_in permit tcp any host A.B.C.D eq smtp
access-list outside_access_in permit tcp any host A.B.C.D eq https
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0

As for your 3rd requirement, you can use this:

nat (inside) 1 0 0
global (outside) 1 interface

Hope that helps.

-Mike

Re: DNS

anthony.dyne — Sat, 01 Jan 2011 10:19:00 GMT

Hi Mike

Thanks for your input, I need one clarification, what ports are needed from outside to inside to enable Windows 2003 Server to resolve external DNS.

thanks

Anthony

Re: DNS

mirober2 — Sat, 01 Jan 2011 12:54:57 GMT

Hi Anthony,

Since your Windows 2003 Server will be initiating the connections (from inside -> outside), you won't need to open any ports for the return traffic in the outside -> inside direction. The ASA will see the outgoing request and open the necessary pinholes to allow the response from the external DNS server to come back into your network.

That being said, if you have an inbound ACL on your inside interface, you would need to allow UDP/53 in this ACL. However, by default all traffic is allowed in the inside -> outside direction.

Hope that helps.

-Mike

Re: DNS

anthony.dyne — Sat, 01 Jan 2011 19:13:27 GMT

Hi Mike

Thanks for your help.

access-list inside_access_out permit udp host 1.1.1.1 any eq 53

Do i only need the above ACL to allow DNS resolution from inside to ouside when we have an inbound ACL on your inside interface.

Re: DNS

mirober2 — Sat, 01 Jan 2011 19:37:43 GMT

Hi Anthony,

Yes, you are correct.

-Mike