    DNS server inside SG565

      Have an SG565 with 4.0.5 firmware... we host DNS for a client and are trying to migrate our old DNS server (which lives directly on the internet) to a virtual server (which lives on a machine on the LAN).


      The new DNS server is set up on the LAN at IP and tests fine to queries from any machine on the LAN.  I can't for the life of me get it to respond to queries from the outside world.


      Have set up a port-forward rule in NAT...

      - destination     (obviously not the real address, which I can't remember right now :-)

      - services        domain    (tcp and udp 53)

      - to dest          extdns     (defined as

      - to services     unchanged


      the packet filter rule gets auto defined as such...

      - action     accept

      - type     forward

      - incoming interface     any

      - outgoing interface     any

      - source address     any

      - dest address     extdns

      - services     domain


      Doesn't look unlike any of the other rules we've set up on the sg565 for web, remote desktop and such to other destinations on the LAN so I'm not sure where to look.



          Version 4 has a block all DNS out rule, for security.


          Can you check firewall -> packet filtering for an entry to DROP DNS ?

            Thought of that, but that packet filter rule has been disabled because of other requirements of our configuration.



              system -> diagnostics -> packet capture


              select LAN interface and options


              -s 1500 port 53


              start the capture, then reporduce the fault.


              Stop the capture and have a look at the resulting data in wireshark.


              You should see DNS traffic if all is good, but since it is not, what you do capture may help track down the issue


              hope this helps.

                Thanks Ross I'll give that a try when I have a chance.  I ended up just firing up 2 separate virtual machines instead of one for the DNS.  Bind seemed to be having issues determining which view the traffic was intended for (ie. didn't seem to recognize that the traffic was being sent to 2 different IP's on the virtual server)... so it was going to the wrong one.  With the two IP's being on 2 separate machines the data gets where it needs to be.  Whether that's a result of Bind, NAT, or a result of something going on in the UTM is yet to be determined.



