Re: DNS Zone Transfer from 2 DNS boxes NATed behind PIXes

bkalstad · ‎10-13-2004

Presently we have two DNS appliances at two different locations behind two PIXes (520, 525). Both of these PIXes are NATed to two different external IP addresses out on the Internet. Were trying to do DNS zone transfers between the two boxes and all the transfers keep timing out. We've checked and it doesn't look like there is a routing issue causing this.

Is there a known issue regarding inbound or outbound NAT between two NATed PIXes? I hope that makes since. Just curious if anyone has seen something like this before? Please advise if you need more specific info. Thanks

Brian Kalstad

TxDOT

Patrick Iseli · ‎10-13-2004

Have you checked the fixup and enabled tcp port 53 on the outside access-list ?

disable the fixup protocol dns and try again a zone transfer:

no fixup protocol dns

if it does not help reenable it with its default value.

What does the fixup do:

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. This functionality is called DNS Guard.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Note The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes. A syslog message will be generated when a DNS packet is dropped.

The no fixup protocol dns command disables the DNS fixup. The clear fixup protocol dns resets the DNS fixup to its default settings (512 byte maximum packet length).

Note If the DNS fixup is disabled, the A-record is not NATed and the DNS ID is not matched in requests and responses. By disabling the DNS fixup, the maximum length check on UDP DNS packets can be bypassed and packets greater than the maximum length configured will be permitted.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

sincerely

Patrick

bkalstad · ‎10-13-2004

Thanks for the quick reply Patrick

I gave it a try on both PIXes and I get a

"bad protocol dns" message on both machines.

The manual for the pix doesn't even show dns as an

available protocol??

Brian Kalstad

TxDOT

Patrick Iseli · ‎10-13-2004

How does your static and access-list looks like ?

Have you a hit count when you do a "show access-list "?

Have syslog messages?

Need more information !!!

sincerely

Patrick

bkalstad · ‎10-13-2004

The hitcounts on both PIXes still show zero hits for the rules which I have open (TCP and UDP 53) although my rules to allow DNS inquiries in from the outside world works fine on both machines (have different zones in both places, and each is the secondary for zones they have).

I have statics on both boxes mapping the inside,outside for the external address

Syslogs of the firewall don't show any errors from either PIX thats what is so strange.

Have had a few people look at all my configs on both

boxes and they don't see anything wrong. This is frustrating....

Brian Kalstad

mpalardy · ‎10-13-2004

Hello Brian,

What's happening while trying ping from your host-A to your host-B and vice-versa.

Also you may need to manually add a route on both of your host to the second host. The gateway should be the pix DMZ intf on witch the host is connected.

Any syslog would be appreciated.

Mike

bkalstad · ‎10-13-2004

We've got pings turned off so that won't help...While I had a support person for the DNS appliances on the phone we were able to get root access to the box and try to telnet port 53 to the other box and that failed...

The syslog from the DNS appliances just show:

zone XXXXX/IN: refresh failure trying master XXXX#53 timeout

zone xxxxx/IN: refresh: retry limit for master xxxxxx#53 exceeded

That is the output for each zone that tries to transfer, and no errors showing in the PIX syslogs.

Brian Kalstad

Patrick Iseli · ‎10-13-2004

I suggest you to use the "capture" command, which is the PIX network analyzer, and follow the traffic streams to see if the DNS traffic goes to the outside and if there is answer back from the outside DNS server.

access-list 120 permit tcp host any DNSServerIP eq dns

capture vpncap access-list 120 interface outside

show capture vpncap access-list 120 detail

or

https://pix-ip-address/capture/vpncap[/pcap]

ddawson · ‎10-14-2004

Do you have a static NAT defined for each DNS server? If you've just done static PAT for the servers, make sure you add a static translation for TCP/53. The DNS fixup protocol doesn't apply to zone transfers, so that's not an issue. I'd suggest looking in the log of each PIX, since the PIX is very good about logging things it doesn't like. I always configure at least "logging on" and "logging buffered warnings" in a PIX because the log messages are so useful. This will get almost all the "deny/denied" messages without all the URL and "built/teardown" messages that clog the logs.