Re: How to turn off DNS Gaurd

ciscows · ‎07-10-2003

I need to turn off DNS Gaurd to test a theory about reverse lookups not succeeding by outside mail servers. It has been brought to my attention by users that certain mail servers from other companies will perform a Reverse Lookup on the address sending the mail message. Fine and good, however, we host the Primary DNS server behind the firewall (static address and conduit statements) for our domain. For mail servers that are not setup to perform this "check" on mail, mail is delivered. For mail servers that perform Reverse Lookups, its not being resolved...thus getting dropped. I have checked this with NSLookup internally and externally...fails everytime when I perform the Reverse Lookup externally on my Mail Server. I believe it is the DNS Gaurd but not sure how to disable it to test it.

Thanks

mostiguy · ‎07-10-2003

Your problem is that you are using register.com as your primary DNS. Your on site DNS server is properly configured. Register.com doesn't know it should be responsible for the reverse dns zone of 234.197.167.in-addr.arpa. As such, when servers try to query it for reverse dns lookups, things fail. The only way for servers who check reverse dns to send y'all mail is if they cannot reach either of RCOM's dns servers.

I took the liberty of determining that cgtcollege.org is the domain name in question, and that 167.196.234.200 is the dns server. When I set that to be my DNS server in nslookup:

server 167.196.234.200

> 234.196.167.in-addr.arpa.

Server: [167.196.234.200]

Address: 167.196.234.200

234.196.167.in-addr.arpa

primary name server = ns1

responsible mail addr = admin

serial = 65

refresh = 900 (15 mins)

retry = 600 (10 mins)

expire = 86400 (1 day)

default TTL = 3600 (1 hour)

then:

>server dns21.register.com

Default Server: dns21.register.com

Address: 216.21.234.81

> 234.196.167.in-addr.arpa.

Server: dns21.register.com

Address: 216.21.234.81

(root) nameserver = A.ROOT-SERVERS.NET

(root) nameserver = B.ROOT-SERVERS.NET

(root) nameserver = C.ROOT-SERVERS.NET

(root) nameserver = D.ROOT-SERVERS.NET

(root) nameserver = E.ROOT-SERVERS.NET

(root) nameserver = F.ROOT-SERVERS.NET

(root) nameserver = G.ROOT-SERVERS.NET

(root) nameserver = H.ROOT-SERVERS.NET

(root) nameserver = I.ROOT-SERVERS.NET

(root) nameserver = J.ROOT-SERVERS.NET

(root) nameserver = K.ROOT-SERVERS.NET

(root) nameserver = L.ROOT-SERVERS.NET

(root) nameserver = M.ROOT-SERVERS.NET

ciscows · ‎07-10-2003

You are correct in performing your NSLookups and you are correct regarding the domain name, cgtcollege.org

I will contact Rcom by phone tomorrow as I have logged in to my account for Rcom and there does not appear to be an option to work or set Reverse Lookup zones.

By the way, is there a way to turn off DNS Gaurd? Just curious, not that it is going to effect my problem...

thanks

gfullage · ‎07-10-2003

Prior to 6.2, there was no way to turn off DNS Guard.

In 6.3 we created a DNS fixup that primarily is used so the PIX will allow DNS packets larger than 512 bytes. You can turn this off (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#1067379) which basically turns off the checking of the length of the packet, but the feature called DNS Guard is still on and, I believe, there is still no way to turn it off.

DNS Guard is basically used so that when DNS packets go through the PIX, the connection and translation that is created for them is torn down as soon as the DNS reply is received. This is because DNS packets are usually one packet out, and one packet in, nothing else, so there's no point tracking the connection and translation of these for the next hour like we would with a standard UDP packet. You really don't want to be able to turn this off.

ciscows · ‎07-11-2003

Given your reason and after more research last night, I will not turn the checking off. I was grasping at straws over this one,

thanks