Hairpinning DMZ DNS traffic

Unanswered Question
Nov 13th, 2007

Original post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe7b88

I have configured hairpinning on our DMZ2 interface and it appears to be working for all traffic except DNS requests. When I to a packet-tracer on it I get the following error message:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I removed DNS inspection from the default inspection maps and policies but I still get the error. Here's the setup:

Pix 515e running 8.02 in failover.

E-mail server on DMZ2 10.0.x.12 NAT to outside address x.y.z.12

DNS server on DMZ2 10.0.x.252 NAT to outside address x.y.z.252

The e-mail server x.12 is pointing to root domain authority which replies with the DNS server x.252 as the NS for the domain it's trying to send mail to. So it tries to query the DNS server but fails with the error listed above.

Hairpinning config:

static (DMZ2,DMZ2) x.y.z.12 10.0.x.12 netmask 255.255.255.255

static (DMZ2,DMZ2) x.y.z.252 10.0.x.252 netmask 255.255.255.255

access-list DMZ2_access_in extended permit udp any any eq domain

Thanks for any and all assistance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Mon, 11/19/2007 - 11:45

I think the reason may be in internal DNS server due to misconfiguration check that one( clear the internal arp cache on edge router for DNS work and then try again) and also verify the ACL.

Actions

This Discussion