PIX and DNS inside DMZ

khandakarfaisal · ‎09-29-2005

is it possiable to put dns inside DMZ?

if so Pls give me some knowledge.

Thanks.

mehrdad · ‎09-29-2005

yes, why not?

static (dmz,outside) dns_outside_ip_address dns_dmz_ip_address netmask 255.255.255.255

access-list OUTACL permit udp any host dns_outside_ip_address eq 53

access-list OUTACL permit tcp any host dns_outside_ip_address eq 53

access-group OUTACL in interface outside

static (inside,dmz) inside_ip_addresses inside_ip_addresses netmask inside_netmask

the below link is DMZ scenario with mailserver

http://www.cisco.com/warp/public/110/mailserver_dmz.html

genghiskhan · ‎10-01-2005

I setup our dns servers inside a dmz in May of 2004. These are authoritative for our zones. During this time I have experienced no problems what so ever with NAT or the ACLs. I use ssh to manage the dns servers from my desktop, as the servers are headless. We have some servers in the internal network that use the authoritative dns servers as their primary and secondary dns servers. I have added 2 more dmz's over the past year. The servers or hosts in these dmz's use a non-authoritative slave dns server as their primary, and the secondary is the authoritative slave dns server in the first dmz. This was done to minimize the traffic to the main dns servers, whose main purpose is to answer queries about hosts within our zones.

You can setup static translations and an ACL for the internal hosts to access the dns servers as well. This would be done similar to the way expained in the other post.

Just be sure to only allow zone transfers to specific hosts (slaves), otherwise you may be in for a rude awakening.

Enjoy the work!

Roger

khandakartuhin · ‎10-08-2005

DO i need to chande in my DNS Configuration, my dns is now configure with public IP without firewall.

khandakartuhin · ‎10-31-2005

Pls, what is ur dns configuration, is it configure with public IP, or with ur local private ip?