RE: Windows Server 2003 DNS behind a Cisco PIX firewall... help!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

First, sorry for bad English.

> The good news:
> - Users outside on the public internet can see our servers just fine.
This looks like it should be.


> The bad news:
> 1. My secondary DNS server can not load the zone information from the
> primary, though they are on the same DMZ subnet together.

To fix this, You probably need to do this:
- configure both server boxes with secondary ip, equal to its “white”
(Internet) ip
- ensure, that in DNS options “listen on all ip addresses” is set
- configure and enable zone transfer and notifications

However, this configuration looks strange and, probably, produce warnings on
PIX. But I can’t see any way to overcame this:
> 5. The primary DNS has A records that map hostnames to the public IP of all
> of the servers.

This cause both servers can’t find themselves – as their have different real
and DNS ip’s.

> 2. Our PIX 515E has six interfaces - Outside (0), DMZ (25), Learning (50),
> Admin (75) and Inside (100), where the number in parentheses indicates the
> relative security of the subnet, 100 being most secure. The problem - PCs in
> the DMZ, Learning, Admin and Inside can not "see" other servers in our
> network, even if they are in the same subnet as the server.

What ip is set as DNS ip on all of this PC’s? If external (“white”) – it
should be so, as configured. If DNS servers accessed by internal (“gray”) ip
– check access rules or NAT translation on PIX, can you, for example, ping
DNS boxes by “gray” ip from any of the internal networks?

> For 1., I'm really stumped. Is it a contradiction to have a DNS server
> computer with a private 192.168.xxx.xxx IP address in a DMZ that contains NS
> records for itself that call out public IP's? This seems to work for users
> on the public internet....

As for me, I prefer to configure DMZ with “white” addresses and configure
“nat 0 access-list” or just “nat 0” on PIX to use access rules instead of
natting. This simplify inside and outside access to DMZ, but, however, have
some disadvantages:
- You need one “white” ip for one box. No way to map on one ip, for example,
80 port to one server box and 25 port for another
- You can’t use first and last address of Your routed subnet for servers,
and You loose also one “white” ip for PIX DMZ interface, totally -3 ip’s.
- You need also one /252 (or more) network on external interface (however,
it may be “gray”), to transit Your routed net from ISP to PIX
- Some PIX options stop to work, for example, limiting the number of
connections to host

> For 2., I think I have two options -
> - Create a split DNS structure for our domain, where one primary/secondary
This SHOULD be done, unless You want to show all Yours internal network to
external users, which is a security issue and confusing – if address resolved
to 192.168.x.x. :)
> - The other option seems to be to use Cisco's "alias" command in the PIX
> that does "DNS Doctoring." Essentially, it seems to intercept and modify the
> response from the DNS server, subsituting the private 192.168.xxx.xxx IP for
> the public IP for client PCs inside our network.

O! This is an idea! I read PIX documentation and found this: (from IOS v.
6.2 and up)
“We recommend using static outside NAT instead of the alias command because
it allows the
isolation of address translation between two interfaces and optionally
supports rewriting of DNS address resource records.”

So, may be all, that should You do is to correct (5), ie change back NS and
A addresses of both DNS servers to “gray” 192.168.x.x, configure all internal
and DMZ servers to use this addresses and let PIX DNS fixup correct them to
“white” ones to Internet-sourced requests (you need to NAT, not PAT, DNS
servers to this work). For more information, better consult PIX documentation
– I not as deep in Cisco devices, as I want :)

.

Relevant Pages

  • Re: How Secure is ".Local?"
    ... > dozen servers and ~500 websites/public domains. ... Shadow DNS ... Is your DC on the Internet? ... >>It is not going to provide your zone info to anyone ...
    (microsoft.public.win2000.dns)
  • RE: New Forest - Old Domain - Plus DMZ - Help Please
    ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
    (microsoft.public.windows.server.migration)
  • Re: EBS 2008 and e-mail issues
    ... Whilst doing this they used the DNS ... I have reset all the firewalls rules back to default on the TMG server, ... Removed the DNS servers ... On 2003 SBS one would probably easily solve this by running the internet ...
    (microsoft.public.windows.server.sbs)
  • Re: Active Directory and child DNS Zone
    ... > Our internal and external DNS domains are both the same - mycompany.com. ... > hosts our external domain and it only contains entries for our web servers ... >>> but the test bed isn't a true picture (no internet access to test VPN, ...
    (microsoft.public.windows.server.dns)
  • Re: DNS design questions
    ... We're a medium size college campus with about 10,000 users and the CIO wants to have DNS locally housed. ... only a hand full to a few dozen max "Internet servers" while ... how big of a security issue really is allowing the "external" DNS server pull a zone transfer from an internal one? ...
    (microsoft.public.windows.server.dns)