[fw-wiz] PIX, DNS fixups and Zone Transfers

From: Bruce Smith (bruce_the_loon_at_worldonline.co.za)
Date: 05/26/03

  • Next message: Meindert Uitman: "[fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 26 May 2003 21:55:50 +0200


    We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS
    servers that were previously exposed in the outside network being moved
    behind the PIX into the DMZ, and getting 2 new IP addresses, eg
    to We mapped the original IP on the outside to the new IP on
    the DMZ via static commands and the proxy arp bits. On the DNS servers, the
    IP's referred to in the forward and reverse zones were been changed to match
    the current setup so that lookups by machines on the DMZ would work fine. So
    far so good. DNS fixup handles the translation of DNS lookups from outside

    Thus arises our problem. Our DNS zones have one primary and 4 secondaries,
    three of which are on separate sites and continents. Now when they do a zone
    transfer of our zones, the mapped IP addresses are NOT changed in the zone,
    so looking up on those zones brings up the new IP address, not the old. That
    IP isn't visible on the 'Net. We hacked around the problem by giving each
    machine two names, eg dns1.domain.com and dns1r.domain.com. dns1.domain.com,
    the address known to the world at large, maps to the old IP.
    dns1r.domain.com is the new one. By some careful juggling of several crates
    of eggs, this is working, for the moment. However it is a precarious
    position to be in.

    As far as I can tell, I'll have to being the laborious process of changing
    our DNS by exposing the new IP directly, while still listening on the old
    one via alias or something, and then getting hold of our secondaries and
    having them change the slave zones. Once all that is up and running, we have
    to let the parent zones for our domains know about the new IP's so they can
    hand off properly. And not to mention getting the domains we are secondaries
    for to update their stuff.

    So in quiet desperation, does anyone have a better idea of how to fix this
    situation? Is there a PIX switch I missed? A zone transfer fixup? Or should
    I place our DNS's outside the firewall and hope they're as hard as we think
    they are?

    Thanks in advance for any ideas and comments you may have. If I gave you a
    headache with this email, it can't cut close to the one this problem has
    given us.

    Bruce A Smith
    Internet Services Administrator
    PE Technikon
    South Africa.

    firewall-wizards mailing list

  • Next message: Meindert Uitman: "[fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"

    Relevant Pages

    • Re: DCDIAG DNS Failure
      ... Without advance view I have 4 forward lookup zones and 7 reverse ... My DNS server is not multihomed. ...
    • Re: DCDIAG DNS Failure
      ... so the sddcsrv03 is a DC and DNS server right? ... also describe your actual reverse ... and forward zones. ...
    • Re: Pre-authentication failed for Windows 2008 systems
      ... This posting is provided "AS IS" with no warranties, ... If you are asking if the primary DNS zone contains A ... Active Directory Integrated Zones ... There are no WINS servers configured for this interface. ...
    • Re: DCDIAG DNS Failure
      ... Without advance view I have 4 forward lookup zones and 7 reverse ... do you need all these reverse zones or your DNS server is multihomed ... -Your exchange server that is giving you problems, can it send Mail outside, ...
    • Re: DNS Issues causing 1030 and 1058 errors
      ... netlogon services. ... recreate the DNS zone. ... the zones and subfolders required for AD) ... This newsgroup only focuses on SBS technical issues. ...