DNS zone transfer not working behind FWSM (1.1)

ralfvd · ‎10-20-2004

Hi,

access lists allow any any. Normal DNS queries work perfectly, but DNS zone transfers are timing out.

On 1.1 , there is no dns fixup command, but I understand this affects only UDP traffic.

We use statics that NAT to the same address, so e.g:

static (dns,outside) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

If someone has an idae where to look, it is much appreciated.

ralf

ddawson · ‎10-20-2004

I'd be suspicious of the FWSM having a problem with just zone transfers, since they're just inbound tcp connections on port 53. I'd suggest verifying the configuration of the DNS server, especially if this has never worked before. Most servers typically don't allow zone transfers from everywhere by default, but instead require you to specify the address(es) of the secondary server(s). I'd also suggest enabling logging in the FWSM if it's not already and look for messages pertaining to the DNS server and/or the remote secondary server(s). If you see normal TCP build and teardown messages that points to an issue on the DNS server. If you see deny messages for the incoming TCP/53 traffic, then the FWSM is dropping the traffic for some reason.

Good luck!

ralfvd · ‎10-20-2004

When pulling the DNS servers out of the firewall setup and connect it directly to a switch/router, the zone transfer works perfectly, so it looks like the configuration of the DNS is OK.

We'll try to do some logging, this is a production environment so we have to schedule some downtime to put the DNS back into the firewalled network.

thanks for replying.

Ralf