>I have succeded in maybe createing my firewall too tight. I am
>using a cisco 4500 (Version 10.3 code) with packet filtering in and out. I can
DNS
>query the Internet fine, FTP, send mail from my mail server etc. The problem
>is MCI says they cannot DNS query my name server. My inbound access-list
>allows both UDP and TCP from any host on the internet to my name server on port
>53. It also allows tcp from any host to my nameserver established.
>access-list 101 permit udp 0.0.0.0 255.255.255.255. 205.138.144.36 0.0.0.0 eq
53
>access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0 0 eq 53
>access-list 101 permit tcp 0.0.0.0 255.255.255.255 205.138.144.36 0.0.0.0
established
It looks like this is the inbound filter and you didn't include the outbound
filter, but I'd say that's where your problem is. You're probably getting the
queries in, but not letting the responses back out. Responses out will be to
port 53 if from another server, or to a random high port (1024-65535) if from a
resolver. You'll need to add something like this to your outbound filters:
access-list 102 permit udp 205.138.144.36 0.0.0.0 0.0.0.0 255.255.255.255 eq 53
access-list 102 permit udp 205.138.144.36 0.0.0.0 0.0.0.0 255.255.255.255 gt
1023
You may have some security concerns with this as well, which can be resolved
using nameservers both inside and outside the firewall (see Cheswick et al for
details) although this is not strictly necessary.
By the way, DNS only uses TCP for zone transfers, so unless you are running a
secondary nameserver on the other side of your firewall, you do not need (or
want) the permit TCP lines in the filter.
Feel free to mail me offline if you have other questions. We've been using
packet filtering firewalls here for several years.
Dave
|
|
