Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 7564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS not forwarding from WAN zone

Gary Parr

OK, so I'm running XG behind another device in a layered FW setup.  So, basically  WAN > (Edge Router) > DMZ > (XG) > LAN.  In this configuration, I have my DMZ actually set as a WAN zone within the XG networking tab. I'm not sure if this matters, but it seems it might.

So anyway, I've got XG set as my DNS server and LAN clients have no problem with name resolution. Clients in the DMZ (remember, WAN zone from XG's perspective), when pointed at XG, can only resolve entries specifically set in the XG's DNS Host Entry mappings. Well, anything with "publish on WAN" checked. Everything else fails. It seems XG refuses to forward DNS requests to the upstream DNS server when those requests originate from the WAN zone.

Can someone comment on this? I suppose it makes sense to disable DNS forwarding for the WAN zone... but in a multi-layered FW approach, it would be nice to have the option to override this. Is that possible? Alternatively, I can always change this zone from WAN to DMZ, because that is what it really is. But then all of my DNS Host entries are available there... which I don't really want.

Any thoughts on this?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Gary Parr

    Hi,

    What is not clear to as to what DNS settings you have on devices in the DMZ?

    Ian

  • 0 in reply to rfcat_vk

    DNS settings on machines in the DMZ are varied, but lets keep this simple.

    Performing a dig or nslookup against XG from within the LAN for something like google.com or sophos.com will result in a valid response from XG.  Performing the same dig or nslookup in the DMZ against XG will fail.  The only DNS queries that resolve from the DMZ (again, the WAN zone from XG's perspective) are for the manually created DNS Host entries with "Publish on WAN" selected in their configuration.

  • 0 in reply to Gary Parr

    I'm using a work around that was made possible by having spare ports on both my XG and my edge router. Basically, I now have two routes between these devices.

    One, lets call it 10.10.10.0/30, is tagged as the WAN port in XG so it acts as the gateway for all LAN (and XG generated) traffic. The edge router does not send any traffic inbound on this interface and XG itself dropps all unsolicited inbound traffic.

    The second route, lets call it 10.10.20.0/28, is tagged as DMZ in XG and is, unsurprisingly, where my DMZ servers sit. The edge router NATs to named servers here and XG only allows named servers in this zone through to internal resources with specific business rules. XG will allow LAN out to named DMZ servers as well.

    To my untrained eye, this solves my problem while maintaining the DMZ sandwiched between the two firewalls. Can someone point out any inherent security holes I may have created with this setup? Complex is always more prone to leak than simple, but I can't put my finger on anything specific here that I should be concerned about. 

  • 0 in reply to Gary Parr

    Followup thoughts...  I was trying to achieve 3 things:

    1. DMZ clients able to use XG for DNS
    2. LAN DNS not published to DMZ
    3. Have a valid gateway in XG

    What I've found is that

    • You can't have all 3 in a layered firewall setup.

    By setting the DMZ to WAN Zone you get 2 and 3, but not 1.  By setting DMZ to DMZ zone you get 1 only. Using my dual-path approach gets you 1 and 3 but not 2.

    Anyone else see another way to do this?