Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
5
Replies

Ports needed for setting up DNS server in DMZ

byronzhu
Level 1
Level 1

‎09-08-2003 09:48 AM - edited ‎03-09-2019 04:41 AM

I have opened both TCP/UDP port 53 inbound and outbound, but I'm seeing this error in the log:

Deny udp src outside:65.216.72.15/53 dst dmz1:192.x.x.x/1028 by access-group "acl_out"

What am I doing wrong? TIA!

Labels:
0 Helpful
5 Replies 5

l.mourits
Level 5
Level 5

‎09-08-2003 10:22 AM

Hard to say without seeing your config, but if it says that it is denied by acl_out, then acl_out is most likely bound to the outside interface and it does not permit the udp to the dns server.

Can you ost more detail, if possible.

Kind Regards,

Leo

0 Helpful

jmia
Level 7
Level 7

‎09-08-2003 12:01 PM

Hi -

Looks like you've got a ACL problem, did you do command 'clear xlate' and command 'write memory' - If possible can you post your PIX config, remember to exclude sensitive info, like passwords and inside IPs.

Thanks - Jay

0 Helpful

byronzhu
Level 1
Level 1
In response to jmia

‎09-08-2003 12:38 PM

Here's the commands added for the DNS server. Most of the time DNS resolves fine, but sometimes it times out. Then the deny would show in the log. My guess is that when a DNS query is made, the DNS root (?) that was suppose to answer, timed out, so another server answer on behalf on the original root server (new connection is made). Deny tcp src outside:216.239.183.2/53 dst dmz1:192.168.2.1/1028 by access-group "acl_out"

Notice the source port and destination port.

static (dmz1,outside) 192.168.2.1 192.168.1.1 netmask 255.255.255.255

--outbound--

access-list acl_dmz1 permit udp host 192.168.1.1 any eq domain

access-list acl_dmz1 permit tcp host 192.168.1.1 any eq domain

--inbound--

access-list acl_out permit udp any host 192.168.2.1 eq domain

access-list acl_out permit tcp any host 192.168.2.1 eq domain

0 Helpful

l.mourits
Level 5
Level 5
In response to byronzhu

‎09-08-2003 01:44 PM

Are these the only two lines in acl_out?

(I don´t think so)

If the acl_out access-list contains another line (preceding these two lines) that denies the packet, then the packet is dropped, although these lines say it is permitted. ACL´s are processed at a first match base. So, check your whole acl_out access-list and see if there is a lines which denies ip or udp/tcp 53 traffic to 192.168.2.1

If there is, then rewrite your acl_out in a way that the lines which permits the traffic are preceding the deny rules, then it works.

This could be causing your problem.

Let us know if it is.

Kind Regards,

Leo

0 Helpful

byronzhu
Level 1
Level 1
In response to l.mourits

‎09-08-2003 02:52 PM

If it is coming in tcp/udp port 53, it's not being denied. Like I say, DNS resolves most of the time.

0 Helpful
Customers Also Viewed These Support Documents