web server / firewall / dns question

  • Thread starter Thread starter Andrew
  • Start date Start date
A

Andrew

Here is the scenario:

We have a PIX firewall with 3 Interfaces. The web server
sits on the DMZ. I set up a DNS server on the dirty dmz
(outside the pix). Three dns names maintained by our ISP
point to the DNS server on the outside dmz. I need to set
up that server to point those requests to the web server
on the DMZ, but I'm not sure how to do that. The DNS
server is not a member of our internal domain for obvious
security reasons. Do I need to have DNS installed on our
web server to accomplish this? Will someone explain to me
what I need to do? Thanks.
 
Hello Andrew,

If you have registered your domain names with Network Solutions
to be pointing to your DNS Server as the authoritative name server,
then you will have to create the forward lookup zones on the DNS
Server in the dirty DMZ.

There is no need to install DNS on the Web Server.

The following article should help you with this:

315982 HOW TO: Configure DNS Records for Your Web Site in Windows 2000
http://support.microsoft.com/?id=315982

Hope that helps!

--
Regards,
Mohanchand Koduri [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
OR
If you wish to include a script sample in your post please add "Use of
included
script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
 
These are the directions that I was trying to follow, but
this is the line that confused me:

"In the Fully qualified name for target host box, type the
fully qualified host name of the DNS server on which IIS
is installed. For example, type dns.domain_name.com, and
then click OK."

It makes it sound like that I need DNS installed on the
server with IIS. This is where I get stuck at.
Click to expand...

You don't. And that's a poorly worded document for many users.
This is what I did so far. On the DNS server on the dirty
dmz, I created a forward lookup zone named <domain>.com .
I then created a host record in that zone named "www" and
then gave it the IP address of the web server. I thought
this is all I would need to do, but it is not working. Am
I doing something wrong?
Click to expand...

Yup. But not DNS. :)

Your issue is likely forwarding the connections through the PIX to the
DMZ. You'll wnat to check Cisco's documentation, but basically you
need to open port 80 TCP from WAN to DMZ, and likely port 53 TCP and
UDP from DMZ to WAN.

Try some tests. Try to ping the web server from the WAN side. (That
requires ICMP traffic and you may be blocking that in the PIX as
well...). try brosing by IP to eliminate DNS being an issue. Try a
telnet to port 80 of the web server from the WAN side to see if port
80 is getting through.

Normally, you put all outward facing systems in the DMZ, including
your DNS, and open only those ports needed for those systems through
the PIX. Otherwise, the DNS server is exposed to all outside attacks,
and you have to make doubly sure to harden it completely.

Jeff
-----Original Message-----
Hello Andrew,

If you have registered your domain names with Network Solutions
to be pointing to your DNS Server as the authoritative name server,
then you will have to create the forward lookup zones on the DNS
Server in the dirty DMZ.

There is no need to install DNS on the Web Server.

The following article should help you with this:

315982 HOW TO: Configure DNS Records for Your Web Site in Windows 2000
http://support.microsoft.com/?id=315982

Hope that helps!

--
Regards,
Mohanchand Koduri [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
OR
If you wish to include a script sample in your post please add "Use of
included
script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"

Here is the scenario:

We have a PIX firewall with 3 Interfaces. The web server
sits on the DMZ. I set up a DNS server on the dirty dmz
(outside the pix). Three dns names maintained by our ISP
point to the DNS server on the outside dmz. I need to set
up that server to point those requests to the web server
on the DMZ, but I'm not sure how to do that. The DNS
server is not a member of our internal domain for obvious
security reasons. Do I need to have DNS installed on our
web server to accomplish this? Will someone explain to me
what I need to do? Thanks.
Click to expand...


.
Click to expand...
Click to expand...
 
Back
Top