PIX and DNS Forwarding

Answered Question
Mar 6th, 2007

Hi,

Is it possible to forward DNS requests addressed to a PIX inside interface out to ISP's DNS?

Thanks

I have this problem too.
0 votes
Correct Answer by vitripat about 9 years 10 months ago

Officially, PIX is not designed to do so. But we can make it work by using following commands-

Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:

static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate

Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.

Hope this works for you.

Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Wed, 03/07/2007 - 08:26

Do you mean to say that internal hosts are using PIX inside interface as a DNS server IP? Or is it that PIX is acting as a DHCP server for the internal clients?

vsclear Wed, 03/07/2007 - 16:48

Hi

I meant that internal PCs use PIX inside interface as a DNS server. In this case, the PIX should forward DNS requests to ISP's

DNS. Question: Can PIX do it?

Correct Answer
vitripat Wed, 03/07/2007 - 16:54

Officially, PIX is not designed to do so. But we can make it work by using following commands-

Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:

static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate

Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.

Hope this works for you.

Regards,

Vibhor.

vsclear Wed, 03/07/2007 - 19:34

Hello Vibhor,

Thank you for your help. I have just tried that command in small lab environment:

PC (192.168.2.2/29) --> PIX_inside (192.168.2.1/29) - PIX_outside(192.168.1.2/24) --> 2610_e0/0 (192.168.1.1/24)

I don't have an outside DNS server in the lab; therefore, to test it:

- 2610:

ip http server

ip http port 53

debug ip tcp packet

- PIX:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

static (outside, inside) tpc interface 80 192.168.1.1 53

- PC

http://192.168.1.1

Debug output on 2610 indicates that http traffic reaches the router; howerver, PIX does not translate port from 80 to 53:

00:21:41: tcp0: I LISTEN 192.168.1.2:1034 192.168.1.1:80 seq 2926118896

OPTS 8 SYN WIN 64512

Any idea how to check what is going on the PIX?

Thanks

Vadim

vsclear Wed, 03/07/2007 - 23:09

Hello Vibhor,

Please ignore my last update. The command you have posted is working! (I just did not test it correctly)

Thank you so much!

Vadim

Actions

This Discussion