cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
849
Views
0
Helpful
13
Replies

Newbie wants to build a DNS

winanjaya
Level 1
Level 1

Dear All,

I want to build a DNS for my company, I had public IP address 202.152.04.xx and my internal IP is 172.16.1.3, could any body please help what should I do?

Thanks a lot in advance

Regards

Winanjaya

13 Replies 13

scottmac
Level 10
Level 10

Once you have your server built & tweaked, you would coordinate with your ISP to have them put your server's address as the authoratative DNS for your domain.

The ISP needs to propagate that information into the Top Level Domain (TLD = .com, .edu, .org, etc) so everyone on the Internet will know that your server is the authority for all things in your domain.

Good Luck

Scott

Thanks, do I need to configure my PIX? .. if yes.. could you please advise what should I configure?

Thanks a lot in advance

Regards

Winanjaya

Yes you need to do the following on your PIX.

Assuming your DNS in in the inside network. ( else substitute this withe DMZ )

Static (Inside,Outside) 202.x.x.x 192.x.x.x

Then apply a rule on the outside interface to allow inbound DNS queries

access-list OUTSIDE permit udp any 202.x.x.x eq 53

access-list OUTSIDE permit tcp any 202.x.x.x eq 53

accessgroup OUTSIDE in Interface INSIDE

HTH - please rate if this helps

you should be able to register your dns server with whomever you registered your domain name with.

Hi,

what I did are as follow:

static (dmz,outside) 202.xx.xx.xx

192.xx.xx.xx

access-list OUTSIDE permit udp any 202.xx.xx.xx eq 53

access-list OUTSIDE permit tcp any 202.xx.xx.xx eq 53

and I didnot run below:

access-group OUTSIDE in Interface INSIDE

because I am unable to ping any servers if I ran such command..

any comment? or id I miss something?

pls advise

thanks & Regards

Winanjaya

change:

access-group OUTSIDE in Interface INSIDE

to

access-group OUTSIDE in Interface OUTSIDE

Oops sorry it was a mistake from me.

let me know if yo have any issue

before I apply, I had below:

sh access-group

access-group inbound_filter in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

but after I ran:

access-group OUTSIDE in Interface OUTSIDE

I have below:

Pixlgi(config)# sh access-group

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

where is my:

access-group inbound_filter in interface outside

please advise

thanks and regards

Winanjaya

The command

access-group OUTSIDE in Interface OUTSIDE

has removed the Access group inbound_filter from the outside interface

What does the access list inbound_filter contain ?

The theory is like this

whichever server / port you want to expose to the internet,

you have to use the access group on the outside interface

by default outbound access is enabled from the inside network, so you do not need an access group for the inside interface

( unless you want to specifically block outbound access for a reason )

So you should be good

From an outside connection try conencctign to the DNS server by the nslookup command

nslookup

server 202.X.X.X

if forward & reverse zones are configured correctly you shoudl get the DNS name of the DNS server.

Then try to resolve some records which you have added in your DNS servers ( Piblic Ip )

>mail.winanjaneya.com ( substitte this with your domain name )

if it returns an IP, then your DNS is ok.

Otherwise try this from an outside machine

telnet 202.x.x.x 53

if a window blinks, then the DNS is exposed successfully

else use a port scanner from outside to scan the IP on port 53

Hi .. I able to ping the ip address from internet (it seems like it's natted correctly) but I am unable to resolve any DNS records.. could any body please help?

Ok, so you have verified ICMP nats properly. Now, you must check to see whether DNS traffic is natting (and being permitted through) properly.

According to the above config it should be working properly (static NAT looks good and so does ACL) so perhaps it's a server configuration. That's an entirely different issue.

access-list inbound_filter permit tcp any host 202.x.x.x eq domain

access-list inbound_filter permit udp any host 202.x.x.x eq domain

access-list inbound_filter permit icmp any any echo-reply

access-list inbound_filter permit icmp any host 202.x.x.x

static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255 0 0

access-group inbound_filter in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

Now, I am unable to ping and also I am unable to telnet 202.x.x.x 53 .

please help

Thanks & Regards

Winanjaya

It seems that your firewall is not the issue. It sounds like your DNS server is the issue. If you are able to resolve internal DNS queries than you need to set forwarders on your DNS server for anything outside your domain. Example run an nslookup for any server or computer on your domain. If you have your forward lookup zones and your reverse lookup zones configured properly then you should have an ip address returned. If you do a nslookup on some other website and are not returned an ip address then you need to setup forwarders. I suggest using an open DNS server at 208.67.222.222 and 208.67.220.220. Here is a document describing how to do that.

http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

I hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: