10-20-2004 03:20 AM - edited 03-09-2019 09:09 AM
Hi,
access lists allow any any. Normal DNS queries work perfectly, but DNS zone transfers are timing out.
On 1.1 , there is no dns fixup command, but I understand this affects only UDP traffic.
We use statics that NAT to the same address, so e.g:
static (dns,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
If someone has an idae where to look, it is much appreciated.
ralf
10-20-2004 01:58 PM
I'd be suspicious of the FWSM having a problem with just zone transfers, since they're just inbound tcp connections on port 53. I'd suggest verifying the configuration of the DNS server, especially if this has never worked before. Most servers typically don't allow zone transfers from everywhere by default, but instead require you to specify the address(es) of the secondary server(s). I'd also suggest enabling logging in the FWSM if it's not already and look for messages pertaining to the DNS server and/or the remote secondary server(s). If you see normal TCP build and teardown messages that points to an issue on the DNS server. If you see deny messages for the incoming TCP/53 traffic, then the FWSM is dropping the traffic for some reason.
Good luck!
10-20-2004 10:35 PM
When pulling the DNS servers out of the firewall setup and connect it directly to a switch/router, the zone transfer works perfectly, so it looks like the configuration of the DNS is OK.
We'll try to do some logging, this is a production environment so we have to schedule some downtime to put the DNS back into the firewalled network.
thanks for replying.
Ralf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide