Re: [fw-wiz] PIX, DNS fixups and Zone Transfers

From: Barney Wolff (
Date: 05/27/03

  • Next message: "Re: [fw-wiz] hardening scripts"
    To: Bruce Smith <>
    Date: Tue, 27 May 2003 10:36:22 -0400

    On Mon, May 26, 2003 at 09:55:50PM +0200, Bruce Smith wrote:
    > We've recently implemented a PIX (6.3) firewall setup, resulting in two DNS
    > servers that were previously exposed in the outside network being moved
    > behind the PIX into the DMZ, and getting 2 new IP addresses, eg
    > to We mapped the original IP on the outside to the new IP on
    > the DMZ via static commands and the proxy arp bits. On the DNS servers, the
    > IP's referred to in the forward and reverse zones were been changed to match
    > the current setup so that lookups by machines on the DMZ would work fine. So
    > far so good. DNS fixup handles the translation of DNS lookups from outside
    > perfectly.
    > Thus arises our problem. Our DNS zones have one primary and 4 secondaries,
    > three of which are on separate sites and continents. Now when they do a zone
    > transfer of our zones, the mapped IP addresses are NOT changed in the zone,
    > so looking up on those zones brings up the new IP address, not the old. That
    > IP isn't visible on the 'Net. We hacked around the problem by giving each
    > machine two names, eg and,
    > the address known to the world at large, maps to the old IP.
    > is the new one. By some careful juggling of several crates
    > of eggs, this is working, for the moment. However it is a precarious
    > position to be in.

    Since NAT actually adds no security, I'd put the nameservers on a DMZ
    of their own and not NAT between them and the Internet. For internal
    lookups, I'd use separate internal servers that forward to the DMZ
    servers for non-internal domains. Or use views to cause the DMZ servers
    to return different answers for queries from inside. You can still
    NAT between inside and outside if management insists.

    Your nameservers should not be outside the firewall; at least protect
    them with ACLs that allow only UDP+TCP to port 53 and nothing else.
    Honor zone transfer requests only from your known secondaries.
    Allow recursive lookups only from inside hosts.

    Barney Wolff
    I'm available by contract or FT, in the NYC metro area or via the 'Net.
    firewall-wizards mailing list

  • Next message: "Re: [fw-wiz] hardening scripts"

    Relevant Pages

    • Re: Pre-authentication failed for Windows 2008 systems
      ... This posting is provided "AS IS" with no warranties, ... If you are asking if the primary DNS zone contains A ... Active Directory Integrated Zones ... There are no WINS servers configured for this interface. ...
    • Re: Forward lookup zone not automatically created for new domain in fo
      ... is the forest root. ... forward lookup zones on the domain controllers hosting ... You need your DNS servers in every domain/tree ... servers are Win2003 you can do forest wide AD Integration ...
    • RE: New Forest - Old Domain - Plus DMZ - Help Please
      ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
    • RE: replication scope question
      ... DNS installed that hosts secondary zones for all four of the zones on the DC. ... changing the scope to the default setting "All DNS servers in the Active ... Directory domain" or should I leave the replication scope alone? ...
    • Re: DNS resolving issue with new child domain
      ... What can you tell us about your DNS setup? ... Which zones are on which servers? ... Perhaps I should remove the dns server on the child domain and recreate it ...