4 Replies Latest reply on Mar 3, 2010 10:26 AM by mcisar

    DNS server inside SG565

      Have an SG565 with 4.0.5 firmware... we host DNS for a client and are trying to migrate our old DNS server (which lives directly on the internet) to a virtual server (which lives on a machine on the LAN).

       

      The new DNS server is set up on the LAN at IP 10.11.11.6 and tests fine to queries from any machine on the LAN.  I can't for the life of me get it to respond to queries from the outside world.

       

      Have set up a port-forward rule in NAT...

      - destination     1.2.3.4     (obviously not the real address, which I can't remember right now :-)

      - services        domain    (tcp and udp 53)

      - to dest          extdns     (defined as 10.11.11.6)

      - to services     unchanged

       

      the packet filter rule gets auto defined as such...

      - action     accept

      - type     forward

      - incoming interface     any

      - outgoing interface     any

      - source address     any

      - dest address     extdns

      - services     domain

       

      Doesn't look unlike any of the other rules we've set up on the sg565 for web, remote desktop and such to other destinations on the LAN so I'm not sure where to look.

       

      Cheers,

      >>>>> Mike <<<<<

        • 1. Re: DNS server inside SG565

          Version 4 has a block all DNS out rule, for security.

           

          Can you check firewall -> packet filtering for an entry to DROP DNS ?

          • 2. Re: DNS server inside SG565

            Thought of that, but that packet filter rule has been disabled because of other requirements of our configuration.

             

            Cheers,

            >>>>> Mike <<<<<

            • 3. Re: DNS server inside SG565

              Use

               

              system -> diagnostics -> packet capture

               

              select LAN interface and options

               

              -s 1500 port 53

               

              start the capture, then reporduce the fault.

               

              Stop the capture and have a look at the resulting data in wireshark.

               

              You should see DNS traffic if all is good, but since it is not, what you do capture may help track down the issue

               

              hope this helps.

              1 of 1 people found this helpful
              • 4. Re: DNS server inside SG565

                Thanks Ross I'll give that a try when I have a chance.  I ended up just firing up 2 separate virtual machines instead of one for the DNS.  Bind seemed to be having issues determining which view the traffic was intended for (ie. didn't seem to recognize that the traffic was being sent to 2 different IP's on the virtual server)... so it was going to the wrong one.  With the two IP's being on 2 separate machines the data gets where it needs to be.  Whether that's a result of Bind, NAT, or a result of something going on in the UTM is yet to be determined.

                 

                Cheers,

                >>>>> Mike <<<<<