Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to turn off DNS Gaurd

I need to turn off DNS Gaurd to test a theory about reverse lookups not succeeding by outside mail servers. It has been brought to my attention by users that certain mail servers from other companies will perform a Reverse Lookup on the address sending the mail message. Fine and good, however, we host the Primary DNS server behind the firewall (static address and conduit statements) for our domain. For mail servers that are not setup to perform this "check" on mail, mail is delivered. For mail servers that perform Reverse Lookups, its not being resolved...thus getting dropped. I have checked this with NSLookup internally and externally...fails everytime when I perform the Reverse Lookup externally on my Mail Server. I believe it is the DNS Gaurd but not sure how to disable it to test it.



Re: How to turn off DNS Gaurd

Your problem is that you are using as your primary DNS. Your on site DNS server is properly configured. doesn't know it should be responsible for the reverse dns zone of As such, when servers try to query it for reverse dns lookups, things fail. The only way for servers who check reverse dns to send y'all mail is if they cannot reach either of RCOM's dns servers.

I took the liberty of determining that is the domain name in question, and that is the dns server. When I set that to be my DNS server in nslookup:



Server: []


primary name server = ns1

responsible mail addr = admin

serial = 65

refresh = 900 (15 mins)

retry = 600 (10 mins)

expire = 86400 (1 day)

default TTL = 3600 (1 hour)



Default Server:





(root) nameserver = A.ROOT-SERVERS.NET

(root) nameserver = B.ROOT-SERVERS.NET

(root) nameserver = C.ROOT-SERVERS.NET

(root) nameserver = D.ROOT-SERVERS.NET

(root) nameserver = E.ROOT-SERVERS.NET

(root) nameserver = F.ROOT-SERVERS.NET

(root) nameserver = G.ROOT-SERVERS.NET

(root) nameserver = H.ROOT-SERVERS.NET

(root) nameserver = I.ROOT-SERVERS.NET

(root) nameserver = J.ROOT-SERVERS.NET

(root) nameserver = K.ROOT-SERVERS.NET

(root) nameserver = L.ROOT-SERVERS.NET

(root) nameserver = M.ROOT-SERVERS.NET

New Member

Re: How to turn off DNS Gaurd

You are correct in performing your NSLookups and you are correct regarding the domain name,

I will contact Rcom by phone tomorrow as I have logged in to my account for Rcom and there does not appear to be an option to work or set Reverse Lookup zones.

By the way, is there a way to turn off DNS Gaurd? Just curious, not that it is going to effect my problem...


Cisco Employee

Re: How to turn off DNS Gaurd

Prior to 6.2, there was no way to turn off DNS Guard.

In 6.3 we created a DNS fixup that primarily is used so the PIX will allow DNS packets larger than 512 bytes. You can turn this off ( which basically turns off the checking of the length of the packet, but the feature called DNS Guard is still on and, I believe, there is still no way to turn it off.

DNS Guard is basically used so that when DNS packets go through the PIX, the connection and translation that is created for them is torn down as soon as the DNS reply is received. This is because DNS packets are usually one packet out, and one packet in, nothing else, so there's no point tracking the connection and translation of these for the next hour like we would with a standard UDP packet. You really don't want to be able to turn this off.

New Member

Re: How to turn off DNS Gaurd

Given your reason and after more research last night, I will not turn the checking off. I was grasping at straws over this one,


CreatePlease login to create content