Mailing List Archive

Hi,

In order to allow external hosts to reach my DNS server I add this few lines on the PIX (515, IOS 6.2(1)):

conduit permit udp host 10.10.10.1 eq 53 any
conduit permit udp host 10.10.10.1 any eq 53

When I send a DNS request from an internal host, without passing through the PIX, it works fine.

But I when I send a DNS request from an external host, it has to pass through the PIX and it failed.
The host does not receive any answer due to timeout (5sec), although the udp timeout from the PIx has been set up to 2 min.

I got the following log message from the PIX:

%PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to 10.10.10.1/53 due to DNS Query

When I run a tcpdump on the DNS server, I have no trace of any incoming packets so I conclude that the PIX is stopping this traffic.

Why is the PIX is behaving this way?

If someone has any idea to share, he is very much welcome.

Thank you.

Regards,

Christophe
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

Is 10.10.10.1 statically translated from inside to outside? -anchi

-----Original Message-----
From: odusseus [mailto:odusseus@voila.fr]
Sent: Monday, October 14, 2002 6:52 AM
To: cisco-nsp
Subject: [nsp] PIX deny UDP


Hi,

In order to allow external hosts to reach my DNS server I add this few lines on the PIX (515, IOS 6.2(1)):

conduit permit udp host 10.10.10.1 eq 53 any
conduit permit udp host 10.10.10.1 any eq 53

When I send a DNS request from an internal host, without passing through the PIX, it works fine.

But I when I send a DNS request from an external host, it has to pass through the PIX and it failed.
The host does not receive any answer due to timeout (5sec), although the udp timeout from the PIx has been set up to 2 min.

I got the following log message from the PIX:

%PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to 10.10.10.1/53 due to DNS Query

When I run a tcpdump on the DNS server, I have no trace of any incoming packets so I conclude that the PIX is stopping this traffic.

Why is the PIX is behaving this way?

If someone has any idea to share, he is very much welcome.

Thank you.

Regards,

Christophe
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr

_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hello...

you might want to add tcp also as DNS uses both udp and tcp

conduit permit udp host 10.10.10.10 eq 53 any
conduit permit tcp host 10.10.10.10 eq 53 any


It also helps if you post the real addresses. then others could actually
make queries and respond with a more informed answer.

On Mon, 2002-10-14 at 04:41, odusseus wrote:
> Hi,
>
> In order to allow external hosts to reach my DNS server I add this few lines on the PIX (515, IOS 6.2(1)):
>
> conduit permit udp host 10.10.10.1 eq 53 any
> conduit permit udp host 10.10.10.1 any eq 53
>
> When I send a DNS request from an internal host, without passing through the PIX, it works fine.
>
> But I when I send a DNS request from an external host, it has to pass through the PIX and it failed.
> The host does not receive any answer due to timeout (5sec), although the udp timeout from the PIx has been set up to 2 min.
>
> I got the following log message from the PIX:
>
> %PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to 10.10.10.1/53 due to DNS Query
>
> When I run a tcpdump on the DNS server, I have no trace of any incoming packets so I conclude that the PIX is stopping this traffic.
>
> Why is the PIX is behaving this way?
>
> If someone has any idea to share, he is very much welcome.
>
> Thank you.
>
> Regards,
>
> Christophe
> ------------------------------------------
>
> Faites un voeu et puis Voila ! www.voila.fr
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"

chrismcc@pricegrabber.com
http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.

Actually.. by default PIX does somewhat "stateful" UDP connections. If
you have an outgoing DNS query it will keep the outgoing UDP connection
in its state table and allow *1* corresponding packet back thru as long
as it is going from a higher security interface to a lesser one. I believe
DNS is one of the fixup protocols by default.

If you are going from an interface with lesser security, you will need
either a conduit(old) or an access-list provided there is no NAT.. in
that case you would also need a static translation.

53/TCP is only for zone transfers, not lookups.

Jarrod

On 14 Oct 2002, Christopher McCrory wrote:

:Hello...
:
:you might want to add tcp also as DNS uses both udp and tcp
:
:conduit permit udp host 10.10.10.10 eq 53 any
:conduit permit tcp host 10.10.10.10 eq 53 any
:
:
:It also helps if you post the real addresses. then others could actually
:make queries and respond with a more informed answer.
:
:On Mon, 2002-10-14 at 04:41, odusseus wrote:
:> Hi,
:>
:> In order to allow external hosts to reach my DNS server I add this few lines on the PIX (515, IOS 6.2(1)):
:>
:> conduit permit udp host 10.10.10.1 eq 53 any
:> conduit permit udp host 10.10.10.1 any eq 53
:>
:> When I send a DNS request from an internal host, without passing through the PIX, it works fine.
:>
:> But I when I send a DNS request from an external host, it has to pass through the PIX and it failed.
:> The host does not receive any answer due to timeout (5sec), although the udp timeout from the PIx has been set up to 2 min.
:>
:> I got the following log message from the PIX:
:>
:> %PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to 10.10.10.1/53 due to DNS Query
:>
:> When I run a tcpdump on the DNS server, I have no trace of any incoming packets so I conclude that the PIX is stopping this traffic.
:>
:> Why is the PIX is behaving this way?
:>
:> If someone has any idea to share, he is very much welcome.
:>
:> Thank you.
:>
:> Regards,
:>
:> Christophe
:> ------------------------------------------
:>
:> Faites un voeu et puis Voila ! www.voila.fr
:>
:> _______________________________________________
:> cisco-nsp mailing list real_name)s@puck.nether.net
:> http://puck.nether.net/mailman/listinfo/cisco-nsp
:> archive at http://puck.nether.net/pipermail/cisco-nsp/
:

* jarrod@advmed.com (Jarrod Baumann) [Mon 14 Oct 2002, 16:28 CEST]:
> 53/TCP is only for zone transfers, not lookups.

Incorrect. Resolver libraries should fall back to TCP when UDP doesn't
work, for example when the answer is too large to fit in the 512 bytes
an UDP DNS packet can be.

Yes, AXFRs are one of the situations where the answer is likely to
exceed 512 bytes, but if you want to see something funny as an
illustration to my point, try:

% dig ptr 42.220.218.216.in-addr.arpa @216.218.132.2

Regards,


-- Niels.

--

Hi,

On Mon, Oct 14, 2002 at 09:22:24AM -0500, Jarrod Baumann wrote:
> 53/TCP is only for zone transfers, not lookups.

... or for lookups that need to return data chunks bigger than what
fits into an UDP packet. Seldom used, but legal.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de

53/TCP can also be used for lookup's, but this is not commonly used.

FYI.

--D

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net] On Behalf Of Jarrod Baumann
Sent: Monday, October 14, 2002 6:22 AM
To: cisco-nsp
Cc: odusseus
Subject: Re: [nsp] PIX deny UDP

Actually.. by default PIX does somewhat "stateful" UDP connections. If
you have an outgoing DNS query it will keep the outgoing UDP connection
in its state table and allow *1* corresponding packet back thru as long
as it is going from a higher security interface to a lesser one. I
believe
DNS is one of the fixup protocols by default.

If you are going from an interface with lesser security, you will need
either a conduit(old) or an access-list provided there is no NAT.. in
that case you would also need a static translation.

53/TCP is only for zone transfers, not lookups.

Jarrod

On 14 Oct 2002, Christopher McCrory wrote:

:Hello...
:
:you might want to add tcp also as DNS uses both udp and tcp
:
:conduit permit udp host 10.10.10.10 eq 53 any
:conduit permit tcp host 10.10.10.10 eq 53 any
:
:
:It also helps if you post the real addresses. then others could
actually
:make queries and respond with a more informed answer.
:
:On Mon, 2002-10-14 at 04:41, odusseus wrote:
:> Hi,
:>
:> In order to allow external hosts to reach my DNS server I add this
few lines on the PIX (515, IOS 6.2(1)):
:>
:> conduit permit udp host 10.10.10.1 eq 53 any
:> conduit permit udp host 10.10.10.1 any eq 53
:>
:> When I send a DNS request from an internal host, without passing
through the PIX, it works fine.
:>
:> But I when I send a DNS request from an external host, it has to pass
through the PIX and it failed.
:> The host does not receive any answer due to timeout (5sec), although
the udp timeout from the PIx has been set up to 2 min.
:>
:> I got the following log message from the PIX:
:>
:> %PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to
10.10.10.1/53 due to DNS Query
:>
:> When I run a tcpdump on the DNS server, I have no trace of any
incoming packets so I conclude that the PIX is stopping this traffic.
:>
:> Why is the PIX is behaving this way?
:>
:> If someone has any idea to share, he is very much welcome.
:>
:> Thank you.
:>
:> Regards,
:>
:> Christophe
:> ------------------------------------------
:>
:> Faites un voeu et puis Voila ! www.voila.fr
:>
:> _______________________________________________
:> cisco-nsp mailing list real_name)s@puck.nether.net
:> http://puck.nether.net/mailman/listinfo/cisco-nsp
:> archive at http://puck.nether.net/pipermail/cisco-nsp/
:

_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/