how to set up dns server behind a PIX firewall?

how to set up dns server behind a PIX firewall?

Post by Giggle » Tue, 25 Jun 2002 11:48:50



We have a web server and mail server behind a PIX firewall.  
Using NAT, a connection coming from the internet can connect
to our web server by using it's IP address.  Also LAN clients
can connect to internet web servers using their IP addresses only.
What we would like to do is:
1. Have internal clients query our web server inside by
its name such as www.xyz.com.
2. Have internal clients query other web servers on the internet
by it's name (DNS lookup).
Where should the DNS server be?  How should they be configured?  
Any detailed explanation/analysis would be appreciated. I have included
my email.

Teresa

our configuration looks something like this:

Router= 209.249.57.1 /27
PIX outside= 209.249.57.2/27
PIX inside= 192.100.100.1/27
Web Server= 192.100.100.2/27 (209.249.57.3)
Mail Server= 192.100.100.3/27 (209.249.57.4)
Client 1= 192.100.100.4/27
Client 2= 192.100.100.5/27

PIX                             Router          INTERNET
 __________
|                 |                    __________      
|                 |  outside                  |                 |        
|                 |    ____________      |                 |_____          
 __________                               |__________|      
      |
      | inside
      |
      |-----
      |hub  |
      |-------------------------------------------------------------------
----------
      |                            |                      |                    
  |
      |                            |                      |                    
  |
___________     ___________          |                       |
|                  |    |            |   __________         ___________
|Web           |         |Mail            |  |                 |      |        
        |
|Server         |         |Server         |  |Client 1      |      |Client 2  
  |
 __________         ___________   |__________|      |__________|

 
 
 

how to set up dns server behind a PIX firewall?

Post by chri » Tue, 25 Jun 2002 12:18:07


If you are concerned with security set up a split-dns..internal dns queries
your external dns on the dmz with names it cannot resolve, if you are simply
wanting to resolve internal servers via an external dns via FQDN, set up dns
doctoring with the alias command on the PIX.

Chris


> We have a web server and mail server behind a PIX firewall.
> Using NAT, a connection coming from the internet can connect
> to our web server by using it's IP address.  Also LAN clients
> can connect to internet web servers using their IP addresses only.
> What we would like to do is:
> 1. Have internal clients query our web server inside by
> its name such as www.xyz.com.
> 2. Have internal clients query other web servers on the internet
> by it's name (DNS lookup).
> Where should the DNS server be?  How should they be configured?
> Any detailed explanation/analysis would be appreciated. I have included
> my email.

> Teresa

> our configuration looks something like this:

> Router= 209.249.57.1 /27
> PIX outside= 209.249.57.2/27
> PIX inside= 192.100.100.1/27
> Web Server= 192.100.100.2/27 (209.249.57.3)
> Mail Server= 192.100.100.3/27 (209.249.57.4)
> Client 1= 192.100.100.4/27
> Client 2= 192.100.100.5/27

> PIX Router INTERNET
>  __________
> |                 |        __________
> |                 |  outside                  |                 |
> |                 |    ____________      |                 |_____
>  __________                               |__________|
>       |
>       | inside
>       |
>       |-----
>       |hub  |
>       |-------------------------------------------------------------------
> ----------
>       |                            |                      |
>   |
>       |                            |                      |
>   |
> ___________ ___________          |                       |
> |                  | |      |   __________     ___________
> |Web           |         |Mail            |  |                 |      |
>         |
> |Server         |         |Server         |  |Client 1      |      |Client
2
>   |
>  __________         ___________   |__________|      |__________|


 
 
 

how to set up dns server behind a PIX firewall?

Post by Walter Robers » Tue, 25 Jun 2002 12:21:24



:We have a web server and mail server behind a PIX firewall.  
:Using NAT, a connection coming from the internet can connect
:to our web server by using it's IP address.  Also LAN clients
:can connect to internet web servers using their IP addresses only.
:What we would like to do is:
:1. Have internal clients query our web server inside by
:its name such as www.xyz.com.
:2. Have internal clients query other web servers on the internet
:by it's name (DNS lookup).

:     |-----
:     |hub  |
:     |-----------

The first thing that I would do would be to replace the hub with
a reliable managed switch. I've seen enough signal-quality and
performance issues on hubs that I now ban them in our internal
network.

:Where should the DNS server be?  How should they be configured?  

Your diagram and IP addresses imply that you don't have a DMZ
on your PIX. If you had a DMZ, that would be the place to
put your DNS server.

If you do not have a DMZ, then you have three choices:

A) Put your DNS server outside your network entirely, and
configure an 'alias' command on your PIX; or

B) Use a different DNS server for internal clients than for
external clients; or

C) Use 'split DNS' -- that is, configure your [BIND 9] DNS server
so that it gives back different answers to local people than
to remote people.

If you do not use one of these three methods, then when your
inside clients query the DNS server by name, they are going to
be given the public IP address, and are going to try to route
the packets out through the PIX. The PIX will NOT, definitely NOT,
send the DNS packets back in to the configured inside 'static' address
for handling -- the PIX *NEVER* sends packets back to the same interface
that it received the packets on. So nothing will work unless
you use one of the three methods listed above.

 
 
 

how to set up dns server behind a PIX firewall?

Post by James Hageman » Tue, 25 Jun 2002 12:13:17


I have the same basic set up for our school district.

I have a 2610 as our main internet T-1 going into a PIX 525(?) then to
our 3660.
Public addresses on the 2610, private address on the 3660.

I have our Internet provider doing the public DNS, which then NATs to
the private address via the Pix.

I set up a simple DNS server using WinNT 4.0 on the private side.
The naming for www.xyz.com is the same on both the public and private
DNS except the PTR record (public DNS points to public address, private
DSN points to private address). The DNS server receives no UDP DNS
updates, since all of our users have to go through a proxy server to
access web pages outside of our network, the proxy server is the only
one that gets UDP and TCP DNS updates.

Our eMail server gets it DNS entries from the proxy server (acting as
the primary DNS).


> We have a web server and mail server behind a PIX firewall.
> Using NAT, a connection coming from the internet can connect
> to our web server by using it's IP address.  Also LAN clients
> can connect to internet web servers using their IP addresses only.
> What we would like to do is:
> 1. Have internal clients query our web server inside by
> its name such as www.xyz.com.
> 2. Have internal clients query other web servers on the internet
> by it's name (DNS lookup).
> Where should the DNS server be?  How should they be configured?
> Any detailed explanation/analysis would be appreciated. I have included
> my email.

> Teresa

> our configuration looks something like this:

> Router= 209.249.57.1 /27
> PIX outside= 209.249.57.2/27
> PIX inside= 192.100.100.1/27
> Web Server= 192.100.100.2/27 (209.249.57.3)
> Mail Server= 192.100.100.3/27 (209.249.57.4)
> Client 1= 192.100.100.4/27
> Client 2= 192.100.100.5/27

> PIX                             Router          INTERNET
>  __________
> |                 |                    __________
> |                 |  outside                  |                 |
> |                 |    ____________      |                 |_____
>  __________                               |__________|
>       |
>       | inside
>       |
>       |-----
>       |hub  |
>       |-------------------------------------------------------------------
> ----------
>       |                            |                      |
>   |
>       |                            |                      |
>   |
> ___________     ___________          |                       |
> |                  |    |            |   __________         ___________
> |Web           |         |Mail            |  |                 |      |
>         |
> |Server         |         |Server         |  |Client 1      |      |Client 2
>   |
>  __________         ___________   |__________|      |__________|

 
 
 

how to set up dns server behind a PIX firewall?

Post by Left » Tue, 25 Jun 2002 12:37:16


how many clients???

i have 5 (small) and i just ended up using hosts files...

hosting 6 internet domains behind a PIX 501 and it works great..  the alias
command only works if the dns sits outside the pix and the request head out
and back in..  since i have a dns/web/smtp server doing all things sitting
back being static'd its hard to justify my own external dns server..

r

 
 
 

how to set up dns server behind a PIX firewall?

Post by Reuben Stum » Wed, 26 Jun 2002 22:19:11


To consolidate the hassel, you might want to look into "Views" in Bind 9.  I
think Windows 2000 DNS supports Views as well.  Essentially, when the DNS
server gets a request for an IP address, it will respond with a different
answer based on the client source IP address criteria.  So, when your
private machines query for the web server by DNS name, they get your private
address scheme.  When someone on the internet queries your web server by the
same DNS name, they get your public IP address.

It's split-dns without the need for multiple DNS servers and zone files.

If you only have a few machines, you could do hosts files, but I try to
avoid them even for small LANs.  All too often those small LANs become much
larger or a third party does work and doesn't watch for custom files like
the HOSTS file.

So, if you did use a Bind View implementation, you would place your DNS
inside your NAT'd address space and provide a translation for the DNS server
through the PIX.  That's about it (outside of setting up the Bind View
configuration).

If you've got your external DNS resources outsourced to another company,
then you'll just need to set up an internal private DNS, create a record for
each split resource with the alternate IP and then make sure your internal
machines go through your internal DNS before they hit your outsourced DNS.


> We have a web server and mail server behind a PIX firewall.
> Using NAT, a connection coming from the internet can connect
> to our web server by using it's IP address.  Also LAN clients
> can connect to internet web servers using their IP addresses only.
> What we would like to do is:
> 1. Have internal clients query our web server inside by
> its name such as www.xyz.com.
> 2. Have internal clients query other web servers on the internet
> by it's name (DNS lookup).
> Where should the DNS server be?  How should they be configured?
> Any detailed explanation/analysis would be appreciated. I have included
> my email.

> Teresa

> our configuration looks something like this:

> Router= 209.249.57.1 /27
> PIX outside= 209.249.57.2/27
> PIX inside= 192.100.100.1/27
> Web Server= 192.100.100.2/27 (209.249.57.3)
> Mail Server= 192.100.100.3/27 (209.249.57.4)
> Client 1= 192.100.100.4/27
> Client 2= 192.100.100.5/27

> PIX Router INTERNET
>  __________
> |                 |        __________
> |                 |  outside                  |                 |
> |                 |    ____________      |                 |_____
>  __________                               |__________|
>       |
>       | inside
>       |
>       |-----
>       |hub  |
>       |-------------------------------------------------------------------
> ----------
>       |                            |                      |
>   |
>       |                            |                      |
>   |
> ___________ ___________          |                       |
> |                  | |      |   __________     ___________
> |Web           |         |Mail            |  |                 |      |
>         |
> |Server         |         |Server         |  |Client 1      |      |Client
2
>   |
>  __________         ___________   |__________|      |__________|

 
 
 

1. how to setup dns server behind a pix firewall cont.?

So If I understand this correctly I can get away with one dns server outside
our network.  We are currently using a company for our dns service.  So my task
involves the following steps:
1.  Tell the company that provides us the dns service to point to 209.249.57.3
for
our www.xyz.com.Lets suppose that dns server for that company has the ip
a.b.c.d
2.  Then since my PIX inside interface has the ip address of 192.100.100.1
issue the command alias 192.100.100.1 a.b.c.d     255.255.255.255
3.  Then have our internal client machines point to 192.100.100.1 for dns
queries.

Thanks for any help.
Teresa

2. Missing Gear Up Warning Sound

3. How to set NT VPN behind Pix firewall???

4. Experience w/ CISCO modem cards?

5. Help with Setting up a DNS Behind a Firewall...

6. Best CD-labeling program for audio compilations

7. DNS behind PIX firewall

8. DNS behind a PIX firewall

9. Netscape Mail Server can't receive mail when sit behind PIX Firewall...

10. Problem with Exchange server behind PIX firewall

11. DNS Server behind another DNS Server?

12. DNS server behind a Raptor firewall [slightly OT]