515 DMZ not returning DNS results

waifurchin · ‎02-10-2004

Upgraded from 6.3(1) to 6.3(3) and noticed my internal LAN cannot receive DNS replies from my DMZ positioned DNS server anymore.

Internal = 192.168.1.0/24

DMZ = 192.168.0.0/24

DMZ contains DNS server & Email server.

Email = 192.168.0.2 inside, a.b.c.1 outside

DNS = 192.168.0.3 inside, a.b.c.2 outside

Outside machines can access all DMZ resources using DNS or IP, but inside machines can only access DMZ resources by IP since the update (they used to be able to hit it via DNS as well).

The DNS server is configured to respond to internal requests with internal IP's (192.168.0.0/24) and respond to external requests with external IP's (a.b.c.0/148).

The only commands I have dealing with the link to the DMZ from the inside are:

access-list dmz permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

- and -

nat (inside) 0 access-list dmz

From my understanding, this should allow all queries from inside to DMZ and allow responses to those queries. Is this no longer the case, or did something else that's needed get whacked in the update (do I need to bind the access list to the dmz interface)?

If more information is necessary, please ask.

James

nkhawaja · ‎02-11-2004

HI,

from the internal host, try to run nslookup and see what is returned.

You may need to use alias command here.

Thanks

Nadeem

waifurchin · ‎02-11-2004

From the internal host, if I do nslookup on an internal address, I get the correct DNS response. If I do nslookup against an external address, it times out.

For example, assume I have a mailserver called mail.domain.com on the DMZ at 192.168.0.1. If I do nslookup mail.domain.com, it correctly returns 192.168.0.1, but if I try nslookup www.cisco.com, it times out.

On the DNS machine itself (from within the DMZ), I can nslookup both internal and external addresses however, and all responses are 100% correct.

James