08-26-2007 06:19 PM - edited 03-09-2019 06:41 PM
Dear All,
I want to build a DNS for my company, I had public IP address 202.152.04.xx and my internal IP is 172.16.1.3, could any body please help what should I do?
Thanks a lot in advance
Regards
Winanjaya
08-26-2007 07:34 PM
Once you have your server built & tweaked, you would coordinate with your ISP to have them put your server's address as the authoratative DNS for your domain.
The ISP needs to propagate that information into the Top Level Domain (TLD = .com, .edu, .org, etc) so everyone on the Internet will know that your server is the authority for all things in your domain.
Good Luck
Scott
08-26-2007 09:02 PM
Thanks, do I need to configure my PIX? .. if yes.. could you please advise what should I configure?
Thanks a lot in advance
Regards
Winanjaya
08-27-2007 01:23 AM
Yes you need to do the following on your PIX.
Assuming your DNS in in the inside network. ( else substitute this withe DMZ )
Static (Inside,Outside) 202.x.x.x 192.x.x.x
Then apply a rule on the outside interface to allow inbound DNS queries
access-list OUTSIDE permit udp any 202.x.x.x eq 53
access-list OUTSIDE permit tcp any 202.x.x.x eq 53
accessgroup OUTSIDE in Interface INSIDE
HTH - please rate if this helps
08-27-2007 04:51 AM
you should be able to register your dns server with whomever you registered your domain name with.
08-28-2007 06:01 PM
Hi,
what I did are as follow:
static (dmz,outside) 202.xx.xx.xx
192.xx.xx.xx
access-list OUTSIDE permit udp any 202.xx.xx.xx eq 53
access-list OUTSIDE permit tcp any 202.xx.xx.xx eq 53
and I didnot run below:
access-group OUTSIDE in Interface INSIDE
because I am unable to ping any servers if I ran such command..
any comment? or id I miss something?
pls advise
thanks & Regards
Winanjaya
08-28-2007 07:18 PM
change:
access-group OUTSIDE in Interface INSIDE
to
access-group OUTSIDE in Interface OUTSIDE
08-28-2007 07:49 PM
Oops sorry it was a mistake from me.
let me know if yo have any issue
08-28-2007 08:09 PM
before I apply, I had below:
sh access-group
access-group inbound_filter in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
but after I ran:
access-group OUTSIDE in Interface OUTSIDE
I have below:
Pixlgi(config)# sh access-group
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
where is my:
access-group inbound_filter in interface outside
please advise
thanks and regards
Winanjaya
08-28-2007 08:39 PM
The command
access-group OUTSIDE in Interface OUTSIDE
has removed the Access group inbound_filter from the outside interface
What does the access list inbound_filter contain ?
The theory is like this
whichever server / port you want to expose to the internet,
you have to use the access group on the outside interface
by default outbound access is enabled from the inside network, so you do not need an access group for the inside interface
( unless you want to specifically block outbound access for a reason )
So you should be good
From an outside connection try conencctign to the DNS server by the nslookup command
nslookup
server 202.X.X.X
if forward & reverse zones are configured correctly you shoudl get the DNS name of the DNS server.
Then try to resolve some records which you have added in your DNS servers ( Piblic Ip )
>mail.winanjaneya.com ( substitte this with your domain name )
if it returns an IP, then your DNS is ok.
Otherwise try this from an outside machine
telnet 202.x.x.x 53
if a window blinks, then the DNS is exposed successfully
else use a port scanner from outside to scan the IP on port 53
08-28-2007 09:47 PM
Hi .. I able to ping the ip address from internet (it seems like it's natted correctly) but I am unable to resolve any DNS records.. could any body please help?
08-30-2007 09:54 AM
Ok, so you have verified ICMP nats properly. Now, you must check to see whether DNS traffic is natting (and being permitted through) properly.
According to the above config it should be working properly (static NAT looks good and so does ACL) so perhaps it's a server configuration. That's an entirely different issue.
09-04-2007 04:23 PM
access-list inbound_filter permit tcp any host 202.x.x.x eq domain
access-list inbound_filter permit udp any host 202.x.x.x eq domain
access-list inbound_filter permit icmp any any echo-reply
access-list inbound_filter permit icmp any host 202.x.x.x
static (dmz,outside) 202.x.x.x 192.x.x.x netmask 255.255.255.255 0 0
access-group inbound_filter in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
Now, I am unable to ping and also I am unable to telnet 202.x.x.x 53 .
please help
Thanks & Regards
Winanjaya
09-05-2007 09:27 AM
It seems that your firewall is not the issue. It sounds like your DNS server is the issue. If you are able to resolve internal DNS queries than you need to set forwarders on your DNS server for anything outside your domain. Example run an nslookup for any server or computer on your domain. If you have your forward lookup zones and your reverse lookup zones configured properly then you should have an ip address returned. If you do a nslookup on some other website and are not returned an ip address then you need to setup forwarders. I suggest using an open DNS server at 208.67.222.222 and 208.67.220.220. Here is a document describing how to do that.
I hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: