PIX and DNS Forwarding

Answered Question
Mar 6th, 2007
User Badges:

Hi,

Is it possible to forward DNS requests addressed to a PIX inside interface out to ISP's DNS?

Thanks

Correct Answer by vitripat about 10 years 2 months ago

Officially, PIX is not designed to do so. But we can make it work by using following commands-


Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:


static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate


Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.


Hope this works for you.



Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Wed, 03/07/2007 - 08:26
User Badges:
  • Gold, 750 points or more

Do you mean to say that internal hosts are using PIX inside interface as a DNS server IP? Or is it that PIX is acting as a DHCP server for the internal clients?


vsclear Wed, 03/07/2007 - 16:48
User Badges:

Hi

I meant that internal PCs use PIX inside interface as a DNS server. In this case, the PIX should forward DNS requests to ISP's

DNS. Question: Can PIX do it?

Correct Answer
vitripat Wed, 03/07/2007 - 16:54
User Badges:
  • Gold, 750 points or more

Officially, PIX is not designed to do so. But we can make it work by using following commands-


Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:


static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate


Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.


Hope this works for you.



Regards,

Vibhor.

vsclear Wed, 03/07/2007 - 19:34
User Badges:

Hello Vibhor,

Thank you for your help. I have just tried that command in small lab environment:

PC (192.168.2.2/29) --> PIX_inside (192.168.2.1/29) - PIX_outside(192.168.1.2/24) --> 2610_e0/0 (192.168.1.1/24)

I don't have an outside DNS server in the lab; therefore, to test it:

- 2610:

ip http server

ip http port 53

debug ip tcp packet

- PIX:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

static (outside, inside) tpc interface 80 192.168.1.1 53

- PC

http://192.168.1.1


Debug output on 2610 indicates that http traffic reaches the router; howerver, PIX does not translate port from 80 to 53:


00:21:41: tcp0: I LISTEN 192.168.1.2:1034 192.168.1.1:80 seq 2926118896

OPTS 8 SYN WIN 64512


Any idea how to check what is going on the PIX?


Thanks

Vadim

vsclear Wed, 03/07/2007 - 23:09
User Badges:

Hello Vibhor,


Please ignore my last update. The command you have posted is working! (I just did not test it correctly)


Thank you so much!


Vadim

Actions

This Discussion