Return to FAQ List
FAQ 107: Problems with certain firewallsCategory: Troubleshooting
- Clients separated from the DNS Redirector server by a firewall are either;
not able to resolve any DNS, or
not able to resolve modified DNS queries (such as those returned by SimpleDNS=, RedirectIP=, or BlockedIP= functions)
- Some websites fail to resolve via DNS, the result being the website is inaccessible.
- DNSSEC or CNAME records fail to resolve, this may be apparent only if the client traverses a L2L VPN tunnel to reach the DNS Redirector server.
DNS traffic inspection is being performed by the firewall.
Older firewalls/device firmware may regard DNS replies over 512 bytes as suspect, this prevents passing DNSSEC records which can legitimately be more than 512 bytes.
On a Cisco PIX or ASA firewall the relevant configuration lines are...
policy-map type inspect dns preset_dns_map
message-length maximum 512 ...Problem
inspect dns preset_dns_map ...DNS inspection enabled
Depending on your firewall; either upgrade the software/firmware to support DNSSEC, modify the configuration to allow DNSSEC, or disable DNS traffic inspection.
For Cisco PIX or ASA firewall products see: Preparing for DNSSEC
To test/prove this is the issue, you can remove DNS traffic inspection entirely with these commands:
no inspect dns
If your DNS Redirector server forwards DNS to an Active Directory (AD) Domain Controller (DC) DNS server,
the symptoms described here may be related to the Windows Server DNS service, see: kb832223
FAQ 110 Problems with certain routers