Local DNS Cannot resolve Internet-host

Answered Question
Oct 16th, 2009
User Badges:

Hi,


I have local DNS Server and needs to resolve internet address on behalf of local users.

what steps are needed on Firewall.


LAN users points to local DNS Server for name-resolving



On ASA I have static NAT for local DNS Server with Public IP and

on Inside ACL I allowed udp port 53, on Outside ACL also allowed udp port 53.


It doesnt seems to work, AM I missing some config still

Correct Answer by Collin Clark about 7 years 7 months ago

I don't have a way to test, but I think this will work to restrict the NAT to just DNS.


access-list dns-nat extended permit udp host 192.168.1.222 any eq domain

nat (inside) 2 access-list dns-nat


Here's a link for configuring QoS on the ASA.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Collin Clark Fri, 10/16/2009 - 12:42
User Badges:
  • Purple, 4500 points or more

You don't need the static NAT (unless internet people contact this server for resolving your domain) and the outside ACL permitting UDP/53. Check your log when you do a DNS query and see if there is anything in there (post it if you like). Also x2 the ACL applied on the inside interface or post it if you have any doubts. Finally check the DNS inspection. The default is 512 which can be too small. Increase it to something like 1024.


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024


Hope this helps.

Amin Shaikh Fri, 10/16/2009 - 13:09
User Badges:

Hi,


I have attached the ASA config.

DNS ServerIP:192.168.1.222.

From ASA I am able to ping DNS SERVER

and vice-versa.


We dont want LANusers to access internet using this link, so we have ACL on INSIDE.


I do have SMTP traffic from inside to outside and vice-versa working OK.



What is the command to apply name-server on ASA, so i can test name-resolution on ASA.(only for troubleshooting)




Attachment: 
Collin Clark Fri, 10/16/2009 - 13:16
User Badges:
  • Purple, 4500 points or more

One thing I noticed is your outgoing NAT-


nat (INSIDE) 2 192.168.1.100 255.255.255.255


This only allows 1 host to NAT, 192.168.1.100. Your DNS server should be added, so it can NAT.


nat (INSIDE) 2 192.168.1.222 255.255.255.255

Amin Shaikh Sat, 10/17/2009 - 01:27
User Badges:

After addding it works. With NAT everthing is allowed from this host


How can I restrict this statement

nat (INSIDE) 2 192.168.1.222 255.255.255.255


for DNS query only and need to restrict with bandwidth for 256K.


Can this be done.



Correct Answer
Collin Clark Mon, 10/19/2009 - 05:18
User Badges:
  • Purple, 4500 points or more

I don't have a way to test, but I think this will work to restrict the NAT to just DNS.


access-list dns-nat extended permit udp host 192.168.1.222 any eq domain

nat (inside) 2 access-list dns-nat


Here's a link for configuring QoS on the ASA.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Actions

This Discussion