Solved: PIX DNS Reverse lookup

cdelafuente31 · ‎03-01-2010

Hello,

A customer of us has a issue with an e-mail server. It's trying to do a DNS reverse lookup of its private IP address, but It doesn't find it in the DNS server:

192.168.100.9 (Reverse lookup) - error could not reverse lookup 192.168.100.9 in DNS: No PTR record found for domain...

A PIX firewall has a static NAT rule for this server. I've tried to perform DNS doctoring but it doesn't work. I've read that “Therefore, reverse lookups, which request the PTR record, are not affected by DNS rewrite.”

Someone knows how can I fix this?

Regards and thanks in advance.

Federico Coto Fajardo · ‎03-04-2010

Hi,

When the server tries a reverse DNS lookup for its private IP, the DNS has no information about it (since as you mentioned it only knows about the public IP).

DNS Doctoring is for instance, if you want your inside LAN to access the SMTP server on the DMZ with it's public IP.

So, the DNS resolves the public IP for the SMTP server, but the PIX translates the DNS reply to the real IP of the SMTP server, so the request is forwarded to the DMZ interface and not to the outside.

Why is the SMTP server attempting a reverse DNS lookup for its private IP?

What would you like to do, so we can help you out?

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-02-2010

Hi,

The computer trying to perform the reverse DNS lookup is in the same interface as the email server or is coming from a different interface?

Could you elaborate a bit more your description of the problem?

Please post the IPs in question and the interfaces associated with the corresponding commands.

Federico.

cdelafuente31 · ‎03-03-2010

Sorry Federico,

I didn't explain it well. Our customer has a PIX with a DMZ interface, an inside interface and an outside interface. The SMTP server is connected to the DMZ interface. The SMTP server ip address is 180.190.160.9 (in the near future, they will change this IP by a valid private IP address). And the DNS server is external to the LAN (is accessed through the outside interface).

The PIX perform static NAT (with DNS doctoring):

static (dmz,outside) SMTPSERVER_public SMTPSERVER_private netmask 255.255.255.255 dns

The SMTP server is trying to perform the reverse DNS lookup of its private IP address, and It gets this message from the external DNS server because the external DNS doesn't have PTR's with this private IP address (it has the public IP addresses):

"192.168.100.9 (Reverse lookup) - error could not reverse lookup 192.168.100.9 in DNS: No PTR record found for domain..."

I've tried with DNS doctoring but It doesn't translate the IP addresses in the PTR records.

Best Regards,

Federico Coto Fajardo · ‎03-04-2010

Hi,

When the server tries a reverse DNS lookup for its private IP, the DNS has no information about it (since as you mentioned it only knows about the public IP).

DNS Doctoring is for instance, if you want your inside LAN to access the SMTP server on the DMZ with it's public IP.

So, the DNS resolves the public IP for the SMTP server, but the PIX translates the DNS reply to the real IP of the SMTP server, so the request is forwarded to the DMZ interface and not to the outside.

Why is the SMTP server attempting a reverse DNS lookup for its private IP?

What would you like to do, so we can help you out?

Federico.

cdelafuente31 · ‎03-10-2010

Hello Federico,

I think the SMTP server is attempting a reverse DNS lookup for its private IP just because a protocolary test.

We've decided to install a internal DNS with our private address to solve this problem.

Thank you very much for the info,