Re: Allowing Reverse DNS lookups thru a PIX firewall.

Thu, 11 Jan 2001 11:14:13 -0800 

Hey Karl,

Is there any special reason you're running DNS inside? It's MUCH simpler if you let 
your ISP do your DNS for you, then nail down your PIX to allow udp traffic ONLY to 
your ISP's DNS servers.

The PIX won't let traffic leave your network then come back in, this is where your 
reverse lookups are failing. I assume your internal DNS is the primary for your domain 
correct? When these external mail servers are attempting to resolve your hosts they 
are probably trying to get the DNS info from your DNS server on the inside but your 
PIX is probably denying this traffic, am I on track so far?

Well, if your were getting DNS from your ISP, when the external mail servers needed to 
resolve one of your hosts it would get resolved to the OUTSIDE translated address 
(GLOBAL pool address) from the External DNS server, instead of the INTERNAL Ip address 
that it SHOULD NOT see (because of the NAT process).

If you absolutely need to do you own DNS then you will want to put it out in the DMZ 
and configure STATIC and CONDUIT statments allowing the appropriate traffic through to 
your inside hosts.

Hope this helps a bit..

Marc..

>>> Karl Homburg <[EMAIL PROTECTED]> 01/11/01 09:07AM >>>
OK here's the situation.  We have are SMTP email server and are primary DNS
server behind a PIX 520 firewall running Ver. 5.2(3).  So far everything is
running smoothly considering.  We have one problem though,  when we do a
reverse lookup we can't get a reply.  We are doing NAT with the PIX.  We
have some outside email servers that are failing on there reverse lookups to
us when someone send mail to a user outside.

My question is this,  What does it take on the PIX firewall to allow reverse
DNS lookups to pass in and out of the firewall?

Any help would be appreciated.  I am by no means a security admin, and this
has gone straight over my head.

Thanks
Karl Homburg, MSCE
Brenco, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to