Re: Unable to make DNS requests from inside the DMZ

On Mar 15, 3:14 pm, "Chris" <chriswalt...@xxxxxxxxx> wrote:
I inherited a LAN with a not-very-well documented DMZ. My DNS server
is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
is a 525 runnign PIX OS 6.3(5).

In order for the DMZ client to be able to access HTTP and DNS ports on
the DNS server, I have the following ACL rules in place:

access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
domain
access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
domain
static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
255.255.255.255 0 0
static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
netmask 255.255.255.255 0 0
static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
netmask 255.255.255.255 0 0

I have both UDP & TCP permitted on port 53, so DNS requests from the
DMZ to Inside should work. But they don't seem to! HTTP requests from
the DMZ ot Inside function correctly. Interestingly, I can telnet to
the DNS port on the server from the DMZ, I just can't actually make
requests. Like so:

$ telnet 172.30.1.159 53
Trying 172.30.1.159...
Connected to 172.30.1.159.
Escape character is '^]'.
AS<KDJASKLDJAKLSDJKLASJDASD
^]
telnet> quit
Connection to 172.30.1.159 closed.

$ nslookup
*** Can't find server name for address 172.30.1.159: Non-existent host/
domain
*** Default servers are not available

Am I missing something obvious here? The PIX has fixup enabled for
both HTTP and DNS. I've tried enabling the "listen-on" option on the
BIND server (v8), but to no avail.

Thanks,

Chris

Why do you have 172.30.1.159 in your static route configs? I didn't
see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
Forgive me if its a dumb question, not an expert when it comes to
PIX.....

.

Relevant Pages

  • Re: Wanting to place my hosted web on my server
    ... Port 80 is the default port for web services, ... Another method for unique website identification is the hostheader. ... IIS TIPS - Host Header - What is it: ... You mentioned earlier you installed DNS but wasn't ...
    (microsoft.public.windows.server.dns)
  • =?iso-8859-1?q?Re:_2_Probleme:_DHCP_eintr=E4ge_im_DNS;_Zugriff_von_Rechner_=FCber_ISA_aus_WS
    ... mein AD mit DNS im Umlaufnetzwerk. ... AD in der DMZ liegt? ... Der HTTP WebProxy ist konfiguriert und funktioniert auch auf Port 80. ...
    (microsoft.public.de.german.isaserver)
  • Re: Restricted IP access to running services
    ... access to a DMZ and want to know if any of the hosts in the DMZ have ... This will only work if there is a host at the IP ... Same goes for exploiting the open port from an IP address that you don't ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: DNS ausgehend mit verweigerten Paketen.
    ... Es wird von Extern Port 53 auf intern Port z.B. 4017 verweigert. ... der DMZ nicht stimmt, z.B. falsche Subnetzmaske usw.. ... MVP ISA Server ... Leider funktioniert schon der einfache nslookup bzw. dns request nicht. ...
    (microsoft.public.de.german.isaserver)
  • Re: Telnet session with fixed TNAnnn: name?
    ... the source was resolved from DNS, the port # didn't interfere. ... You did not mention the IP stack ... >> we put the PC names into DNS. ... > difference between specifying the PC host names in DNS and entering them ...
    (comp.os.vms)