Newbie wants to build a DNS

Unanswered Question
Aug 26th, 2007

Dear All,

I want to build a DNS for my company, I had public IP address 202.152.04.xx and my internal IP is 172.16.1.3, could any body please help what should I do?


Thanks a lot in advance


Regards

Winanjaya

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scottmac Sun, 08/26/2007 - 19:34

Once you have your server built & tweaked, you would coordinate with your ISP to have them put your server's address as the authoratative DNS for your domain.


The ISP needs to propagate that information into the Top Level Domain (TLD = .com, .edu, .org, etc) so everyone on the Internet will know that your server is the authority for all things in your domain.


Good Luck


Scott


winanjaya Sun, 08/26/2007 - 21:02

Thanks, do I need to configure my PIX? .. if yes.. could you please advise what should I configure?


Thanks a lot in advance


Regards

Winanjaya


anandramapathy Mon, 08/27/2007 - 01:23

Yes you need to do the following on your PIX.


Assuming your DNS in in the inside network. ( else substitute this withe DMZ )


Static (Inside,Outside) 202.x.x.x 192.x.x.x


Then apply a rule on the outside interface to allow inbound DNS queries


access-list OUTSIDE permit udp any 202.x.x.x eq 53

access-list OUTSIDE permit tcp any 202.x.x.x eq 53


accessgroup OUTSIDE in Interface INSIDE



HTH - please rate if this helps

srue Mon, 08/27/2007 - 04:51

you should be able to register your dns server with whomever you registered your domain name with.

winanjaya Tue, 08/28/2007 - 18:01

Hi,

what I did are as follow:

static (dmz,outside) 202.xx.xx.xx

192.xx.xx.xx


access-list OUTSIDE permit udp any 202.xx.xx.xx eq 53

access-list OUTSIDE permit tcp any 202.xx.xx.xx eq 53


and I didnot run below:


access-group OUTSIDE in Interface INSIDE


because I am unable to ping any servers if I ran such command..


any comment? or id I miss something?


pls advise


thanks & Regards

Winanjaya


srue Tue, 08/28/2007 - 19:18

change:

access-group OUTSIDE in Interface INSIDE

to

access-group OUTSIDE in Interface OUTSIDE

winanjaya Tue, 08/28/2007 - 20:09

before I apply, I had below:

sh access-group


access-group inbound_filter in interface outside

access-group inside in interface inside

access-group dmz in interface dmz


but after I ran:

access-group OUTSIDE in Interface OUTSIDE


I have below:


Pixlgi(config)# sh access-group

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz


where is my:

access-group inbound_filter in interface outside


please advise


thanks and regards

Winanjaya




anandramapathy Tue, 08/28/2007 - 20:39

The command


access-group OUTSIDE in Interface OUTSIDE


has removed the Access group inbound_filter from the outside interface


What does the access list inbound_filter contain ?



The theory is like this


whichever server / port you want to expose to the internet,


you have to use the access group on the outside interface


by default outbound access is enabled from the inside network, so you do not need an access group for the inside interface

( unless you want to specifically block outbound access for a reason )


So you should be good


From an outside connection try conencctign to the DNS server by the nslookup command



nslookup


server 202.X.X.X


if forward & reverse zones are configured correctly you shoudl get the DNS name of the DNS server.


Then try to resolve some records which you have added in your DNS servers ( Piblic Ip )


>mail.winanjaneya.com ( substitte this with your domain name )


if it returns an IP, then your DNS is ok.



Otherwise try this from an outside machine


telnet 202.x.x.x 53


if a window blinks, then the DNS is exposed successfully


else use a port scanner from outside to scan the IP on port 53














winanjaya Tue, 08/28/2007 - 21:47

Hi .. I able to ping the ip address from internet (it seems like it's natted correctly) but I am unable to resolve any DNS records.. could any body please help?



jeremyault Thu, 08/30/2007 - 09:54

Ok, so you have verified ICMP nats properly. Now, you must check to see whether DNS traffic is natting (and being permitted through) properly.


According to the above config it should be working properly (static NAT looks good and so does ACL) so perhaps it's a server configuration. That's an entirely different issue.

winanjaya Tue, 09/04/2007 - 16:23

access-list inbound_filter permit tcp any host 202.x.x.x eq domain


access-list inbound_filter permit udp any host 202.x.x.x eq domain


access-list inbound_filter permit icmp any any echo-reply


access-list inbound_filter permit icmp any host 202.x.x.x


static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255 0 0


access-group inbound_filter in interface outside


access-group inside in interface inside


access-group dmz in interface dmz


Now, I am unable to ping and also I am unable to telnet 202.x.x.x 53 .


please help


Thanks & Regards

Winanjaya



dkraatz Wed, 09/05/2007 - 09:27

It seems that your firewall is not the issue. It sounds like your DNS server is the issue. If you are able to resolve internal DNS queries than you need to set forwarders on your DNS server for anything outside your domain. Example run an nslookup for any server or computer on your domain. If you have your forward lookup zones and your reverse lookup zones configured properly then you should have an ip address returned. If you do a nslookup on some other website and are not returned an ip address then you need to setup forwarders. I suggest using an open DNS server at 208.67.222.222 and 208.67.220.220. Here is a document describing how to do that.

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html


I hope this helps.

Actions

This Discussion