Solved: DNS server inside PIX515 ,but not works :(

litouch · ‎02-15-2003

DNS server inside PIX515E,

on the pix I've configured :

access-list 100 permit udp any host 1.1.1.1(for example) eq domain

access-list 100 permit tcp any host 1.1.1.2(for example) eq www

static(inside outside) 1.1.1.1 192.168.0.1 .......

static(inside outside) 1.1.1.2 192.168.0.2 ......

access-group 100 in outside

on the DNS server(192.168.0.1),I've configured http://www.xxxx.com mapped to 1.1.1.2

Ater configed,everyting ok.User on the internet can reach http://www.xxxx.com

But yesterday it SUDDENLY NOT worked :((( User can get the www server only through 1.1.1.2,but DNS NOT WORKED.

Who can help me?

gfullage · ‎02-16-2003

If it did work and nothing has changed on the PIX, then you need to look and see what either changed on your internal DNS server or WWW server, or if your ISP changed something on their external DNS server.

I would also agree that it could be a zone transfer issue that maybe you don't realize, seeing as it sounds like something might have timed out, which when it comes to DNS stuff, is usually the zone has expired and can't be transferred again.

Try allowing TCP port 53 thru to your internal DNs server and see if that helps the situation. If so, then narrow your ACL down to only allow zone transfers from your select external DNS servers.

Also, what does the syslog say when you try and connect from the outside? I can't stress this enough to everyone that reads this, if you're having connectivity problems thru a PIX, always check the syslog, it'll give you the quickest and best source of information as to what's going on.

View solution in original post

mostiguy · ‎02-15-2003

If you are allowing only udp dns requests in, you might have problem if you have external secondary dns servers that would request zone transfers, which occur via tcp. Also, I recall that any dns reply over 512 bytes has to occur via TCP.

I have also experienced weird behaviour with MS clients that cannot make tcp requests. I'd recommend allowing both tcp/udp dns requests in, and making sure your dns server only will perform zone transfers to a select few hosts that you pick.

Matt

litouch · ‎02-15-2003

My dns server only perform zone transters to my www and email servers.

User on the internet uses a public dns server(not mine) to translate domain name.

Except "tcp dns request",would anything else bring this error?

Thanks.

Eric

gfullage · ‎02-16-2003

If it did work and nothing has changed on the PIX, then you need to look and see what either changed on your internal DNS server or WWW server, or if your ISP changed something on their external DNS server.

I would also agree that it could be a zone transfer issue that maybe you don't realize, seeing as it sounds like something might have timed out, which when it comes to DNS stuff, is usually the zone has expired and can't be transferred again.

Try allowing TCP port 53 thru to your internal DNs server and see if that helps the situation. If so, then narrow your ACL down to only allow zone transfers from your select external DNS servers.

Also, what does the syslog say when you try and connect from the outside? I can't stress this enough to everyone that reads this, if you're having connectivity problems thru a PIX, always check the syslog, it'll give you the quickest and best source of information as to what's going on.

litouch · ‎02-17-2003

Thank U so much,gfullage !

Today I've check the zone.It's exired!!!

Oh,my god.