DNS Redirector
 Return to FAQ List

FAQ 107: Problems with certain firewalls

Category: Troubleshooting

- Clients separated from the DNS Redirector server by a firewall are either;
  not able to resolve any DNS, or
  not able to resolve modified DNS queries (such as those returned by SimpleDNS=, RedirectIP=, or BlockedIP= functions)

- Some websites fail to resolve via DNS, the result being the website is inaccessible.

- DNSSEC or CNAME records fail to resolve, this may be apparent only if the client traverses a L2L VPN tunnel to reach the DNS Redirector server.


DNS traffic inspection is being performed by the firewall.
Older firewalls/device firmware may regard DNS replies over 512 bytes as suspect, this prevents passing DNSSEC records which can legitimately be more than 512 bytes.

On a Cisco PIX or ASA firewall the relevant configuration lines are...
policy-map type inspect dns preset_dns_map
    message-length maximum 512    ...Problem
policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map    ...DNS inspection enabled


Depending on your firewall; either upgrade the software/firmware to support DNSSEC, modify the configuration to allow DNSSEC, or disable DNS traffic inspection.

For Cisco PIX or ASA firewall products see: Preparing for DNSSEC
To test/prove this is the issue, you can remove DNS traffic inspection entirely with these commands:
policy-map global_policy
class inspection_default
no inspect dns
write mem

If your DNS Redirector server forwards DNS to an Active Directory (AD) Domain Controller (DC) DNS server, the symptoms described here may be related to the Windows Server DNS service, see: kb832223

Related articles
FAQ 110  Problems with certain routers

DNS Redirector | Legal Information | 2003-2019