PIX DNS Reverse lookup

Answered Question
Mar 1st, 2010

Hello,

A customer of us has a issue with an e-mail server. It's trying to do a DNS reverse lookup of its private IP address, but It doesn't find it in the DNS server:

192.168.100.9 (Reverse lookup) - error could not reverse lookup 192.168.100.9 in DNS: No PTR record found for domain...

A PIX firewall has a static NAT rule for this server. I've tried to perform DNS doctoring but it doesn't work. I've read that “Therefore, reverse lookups, which request the PTR record, are not affected by DNS rewrite.”

Someone knows how can I fix this?

Regards and thanks in advance.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 9 months ago

Hi,

When the server tries a reverse DNS lookup for its private IP, the DNS has no information about it (since as you mentioned it only knows about the public IP).

DNS Doctoring is for instance, if you want your inside LAN to access the SMTP server on the DMZ with it's public IP.

So, the DNS resolves the public IP for the SMTP server, but the PIX translates the DNS reply to the real IP of the SMTP server, so the request is forwarded to the DMZ interface and not to the outside.

Why is the SMTP server attempting a reverse DNS lookup for its private IP?

What would you like to do, so we can help you out?

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 03/02/2010 - 15:07

Hi,

The computer trying to perform the reverse DNS lookup is in the same interface as the email server or is coming from a different interface?

Could you elaborate a bit more your description of the problem?

Please post the IPs in question and the interfaces associated with the corresponding commands.

Federico.

cdelafuente31 Wed, 03/03/2010 - 00:28

Sorry Federico,


I didn't explain it well. Our customer has a PIX with a DMZ interface, an inside interface and an outside interface. The SMTP server is connected to the DMZ interface. The SMTP server ip address is 180.190.160.9 (in the near future, they will change this IP by a valid private IP address). And the DNS server is external to the LAN (is accessed through the outside interface).


The PIX perform static NAT (with DNS doctoring):


static (dmz,outside) SMTPSERVER_public SMTPSERVER_private netmask 255.255.255.255 dns


The SMTP server is trying to perform the reverse DNS lookup of its private IP address, and It gets this message from the external DNS server because the external DNS doesn't have PTR's with this private IP address (it has the public IP addresses):

"192.168.100.9 (Reverse lookup) - error could not reverse lookup 192.168.100.9 in DNS: No PTR record found for domain..."

I've tried with DNS doctoring but It doesn't translate the IP addresses in the PTR records.

Best Regards,

Correct Answer
Federico Coto F... Thu, 03/04/2010 - 13:37

Hi,

When the server tries a reverse DNS lookup for its private IP, the DNS has no information about it (since as you mentioned it only knows about the public IP).

DNS Doctoring is for instance, if you want your inside LAN to access the SMTP server on the DMZ with it's public IP.

So, the DNS resolves the public IP for the SMTP server, but the PIX translates the DNS reply to the real IP of the SMTP server, so the request is forwarded to the DMZ interface and not to the outside.

Why is the SMTP server attempting a reverse DNS lookup for its private IP?

What would you like to do, so we can help you out?

Federico.

cdelafuente31 Wed, 03/10/2010 - 03:22

Hello Federico,

I think the SMTP server is attempting a reverse DNS lookup for its private IP just because a protocolary test.

We've decided to install a internal DNS with our private address to solve this problem.

Thank you very much for the info,

Actions

This Discussion