Cisco PIX 501 - How To Disable DNS Translation?

I finally realized that my Cisco PIX 501 firewall was responsible for returning the internal (private) IP addresses when querying my external (public) DNS server. So, how can I disable that?

Cisco PIX Firewall Version 6.3(1) Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

I found the "DNS Rewrite" options in the translation rules. They were "Yes", so I set them all to "No" (then Applied the settings of course). The DNS "A" records are still being translated though. I did notice that it only translates UDP DNS queries, so if I force a TCP query, it doesn't get translated.

Anyway, how can I completely disable the DNS translation?

Thanks,

-- Kip

Reply to
KipBond
Loading thread data ...

no fixup dns.

You should not do this, the pix is aware that you try to connect to the outside alias of an internal IP which is not reachable from inside. That's why the PIX translates this IP to the internal real one in order to fullfill your connection request.

The observation, that the pix does not translate TCP queries should be considered as a bug. Please submit a bug report.

Reply to
Lutz Donnerhacke

It is off by default.

There are known security problems in 6.3(1), 6.3(3), 6.3(4), 6.3(5) and a bad bug in 6.3(2). You should update to 6.3(5)112, which is a free update (as long as you are the registered owner of the device.)

Did you "clear xlate" afterwards?

The PIX only does DNS translation for statics that have the "dns" keyword on them -- unless, that is, you are using the deprecated "alias" command (which would not be permited by PDM, and you are obviously using PDM.) Look at your actual configuration (in text), not at the PDM-mangled version of it.

Who is it returning the internal addresses -to- ? If someone outside is querying your external DNS server then your PIX is not involved in the process, so if they are getting your private IPs it isn't the fault of the PIX. If someone inside is querying your external DNS server and is *not* getting your internal IPs returned, then you are going to have trouble reaching your own hosts, so you -want- DNS translation turned on. The only reason I can think of to disable the DNS translation would be if internally you are using a public IP block that does not belong to you, and you need to also talk to the machines that are rightfully in that IP block.

But if you really want to disable the DNS translation (and it does not sound right that you would want to), then turn off the DNS fixup. But before you do that, upgrade your PIX OS version: you are living with insecurity and old bugs that have already been fixed.

Reply to
Walter Roberson

wiggum(config)# no fixup dns wrong number of arguments supplied Usage: [no] fixup protocol [] [-]

wiggum(config)# no fixup protocol dns bad protocol dns Usage: [no] fixup protocol [] [-]

I have an internal DNS server that all clients point to. My external DNS server is only for external DNS requests. I query it directly from inside our LAN for troubleshooting purposes. I used to have to SSH to the external server to get the correct responses. I now figured out that I can do a TCP query instead of the default UDP query. But, surely there is a way to turn this off? I don't need it to be on.

Thanks!

-- Kip

Reply to
KipBond

Like I said, you should upgrade past 6.3(1).

formatting link
new features in 6.3(2) [no] fixup protocol dns

Note If DNS fixup is disabled, the Address record (A-record) is not NATed and the DNS ID is not matched in requests and responses.

Well then if you get back the correct internal IP you know the DNS server was working properly, since you know you didn't prime the external DNS server with the internal IPs. If you get back the wrong internal IP then one way or another you have a problem you have to fix.

Reply to
Walter Roberson

6.3(1).
formatting link

Ahh. I'll upgrade during the next scheduled maintenance. Thanks!

I don't want the A records NATed, I just want to see exactly what the name server responded with. What does matching the DNS ID in requests & responses do?

And what if the external DNS server is returning an internal IP address (when it should be returning an external IP address), and thus needs to be fixed? This is very possible if using "views" in BIND, for instance; or if someone just messed up entering the IPs in the external DNS server. If the correct internal IP is returned, I may *think* that it's because the PIX translated it, but in reality, the wrong IP was returned by the server.

The best way to make sure that the external DNS server is returning the proper information, is for me to query it and make sure it's exactly as it should be. If the PIX is rewriting the returned information, troubleshooting is more difficult and possibly error-prone.

-- Kip

Reply to
KipBond

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.