1. Home
  2. Cisco Systems
  3. #### DNS Query #####

#### DNS Query #####

NEED HELP ????

Setup is as follows:-

Internet---PIX----Cisco4500-----LAN

I need LAN users to resolve internet DNS query using local DNS Server.

On Network We have DNS-Server(Windows2003) which has an Forwarder Entry of our ISP to resolve Internet DNS. But it doesnt work ???

Do I need to have a static NAT for DNS Server IP address on the PIX.

Default-Gateway for DNS server is Cisco4500 Default-Gateway for LAN Users is Cisco4500

Servers are on different Subnet Users are on different subnet

On Cisco4500 we have defined IP route to the PIX internal interface...

Can someone please tell me What is wrong in the setup..

Thanks

Reply to
Still.myself
Loading thread data ...

Did you allow TCP and UDP port 53?

This is not necessary.

Default-Gateway for the Cisco4500 is?

Reply to
Lutz Donnerhacke

Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to the outside.

In order to get to the internet the Internal DNS server needs to be a NAT'd to the public address so that the request can return.

To view that the DNS server is getting through the ACL you should monitor the hitcount. That is a good first glance tool. Also turn on logging so you can see what's going on.

Reply to
Rohan

I've never done much with PIX, but doesn't its ordinary dynamic NAT automatically allow packets back in that are in response to outgoing queries? I don't think you should need a static NAT for this, as long as you have the appropriate ACLs that allow the queries out.

You only need a static NAT if you're operating a public DNS server (e.g. the SOA for your domain) on the LAN, and need to allow incoming queries.

Reply to
Barry Margolin

Well you need a NAT whether it's static or dynamic to the ISPs public address if you query from Internal to Internet

Do you have ACL defined for DNS?

Also how did you rule out that the internal DNS server is correctly configured for forwarding?

True but in this case you want Internal DNS to reach to external DNS on your ISPs

Reply to
Rohan

You need to do that for ANY outbound traffic, you don't have to do anything special for the DNS server. That's what I meant by "its ordinary dynamic NAT". I haven't configured PIXes myself, but I assume this is the default behavior once you allow the traffic through with an ACL.

Reply to
Barry Margolin

Thanks to all for their reply. I have opened the ports TCP and UDP 53 and has done a static NAT but still it doesnt work??

Do I need any configuration on Cisco4500.

I dont have default-Gateway set on Cisco4500 ; I dont have an ip route

0.0.0.0 to PIX internal Interface. { Do I need the above }

I have couple of VLANS configured on Cisco4500 with some static routes to different Stores

Rohan wrote:

Reply to
Still.myself

If you don't have any filters on the Cisco, you shouldn't need to do anything special there.

Yes, you need the 0.0.0.0 route. If you don't have a default route, how do you get to the Internet for other protocols? This has nothing to do with DNS, it's basic network routing.

Reply to
Barry Margolin

If there are no filters you do need any ACL configurations for that.

Yes in this case you will need it. How are others able to get out to the internet if there is no default route now?

Reply to
Rohan

Actually it's not a default behavior. You have to define what you want.

Reply to
Rohan

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.