Problem in Zone Based FW Config

Similar Messages

• Problems with Zone based Firewall and mtr (mytraceroute)

  We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
  http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
  <code>
                                                                                                                     Packets               Pings
  Host                                                                                                            Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                                                                                    100.0     8    0.0   0.0   0.0   0.0   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net                                                                        100.0     7    0.0   0.0   0.0   0.0   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net                                                                       100.0     7    0.0   0.0   0.0   0.0   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net                                                                             100.0     7    0.0   0.0   0.0   0.0   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net                                                                              100.0     7    0.0   0.0   0.0   0.0   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net                                                                    100.0     7    0.0   0.0   0.0   0.0   0.0
  7. de-cix20.net.google.com                                                                                      100.0     7    0.0   0.0   0.0   0.0   0.0
  8. 72.14.238.230                                                                                                100.0     7    0.0   0.0   0.0   0.0   0.0
  9. 72.14.239.62                                                                                                 100.0     7    0.0   0.0   0.0   0.0   0.0
  10. 209.85.242.187                                                                                               100.0     7    0.0   0.0   0.0   0.0   0.0
  11. ???
  12. ???
  13. ???
  14. bk-in-f94.1e100.net                                                                                           0.0%     7   20.0  20.6  20.0  21.2   0.4
  </code>
  So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
  At the moment I am inspecting all kind of traffic from my network outgoing:
  ip access-list extended 101
  permit ip any any
  class-map type inspect match-all cmap1
  match access-group name 101
  policy-map type inspect pmap1
  class type inspect cmap1
  inspect
  etc... (zones, zone-pair in-out with policies applied)
  So I tried to let pass all icmp-traffic from the outside to my network:
  class-map type inspect match-all cmap_icmp
  match protocol icmp
  policy-map type inspect pmap2
  class type inspect cmap_icmp
  pass
  etc... (zones, zone-pair out-in with policies applied)
  So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
  BUT then normal ping does not work anymore, because it will not be inspected any more.
  But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
  Has anyone the same problem or can even solve this issue?
  Thanks in advance,
  Stefan

  Hi Andrew, thanks for Your answer...
  So I have now:
  class-map type inspect match-any cmap_icmp
  match access-group name icmp_types
  ip access-list extended icmp_types
  permit icmp any any ttl-exceeded
  PMAP IN--> OUT
  (don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
  policy-map type inspect vlan664_pmap_in
  class type inspect vlan664_cmap_in   (this is an extended ACL "permit ip x.x.x.x any")
    inspect
  class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
    pass log
  class class-default
    drop log
  PMAP OUT-->IN
  policy-map type inspect vlan664_pmap_out
  class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
    pass log
  class type inspect vlan664_cmap_out (some open ports for some clients)
    inspect
  class type inspect ipsec_cmap_out (same problem with VPN when inspected)
    pass log
  class class-default
    drop log
  But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
                                                  Packets               Pings
  Host                                         Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                 50.0%     3    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net     50.0%     3    0.9   0.9   0.9   0.9   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     0.0%     2    2.7   2.7   2.7   2.7   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           0.0%     2    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            0.0%     2    2.5   2.5   2.5   2.5   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  0.0%     2    4.1   4.1   4.1   4.1   0.0
  7. de-cix20.net.google.com                    0.0%     2    5.0   5.0   5.0   5.0   0.0
  8. 72.14.238.44                               0.0%     2   39.2  39.2  39.2  39.2   0.0
  9. 72.14.236.68                               0.0%     2    5.4   5.4   5.4   5.4   0.0
  10. 209.85.254.118                             0.0%     2    5.4   5.4   5.4   5.4   0.0
  11. ???
  12. google-public-dns-a.google.com             0.0%     2    5.5   5.3   5.2   5.5   0.2
                                                   Packets               Pings
  Host                                          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                  66.7%     4    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net      66.7%     4    0.8   0.8   0.8   0.8   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     66.7%     4    2.1   2.1   2.1   2.1   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           66.7%     4    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            66.7%     4    2.6   2.6   2.6   2.6   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  66.7%     4    4.2   4.2   4.2   4.2   0.0
  7. de-cix20.net.google.com                    66.7%     4    5.3   5.3   5.3   5.3   0.0
  8. 72.14.238.44                               66.7%     4   70.3  70.3  70.3  70.3   0.0
  9. 72.14.239.60                               66.7%     4    5.8   5.8   5.8   5.8   0.0
  10. 209.85.254.116                             66.7%     4    5.8   5.8   5.8   5.8   0.0
  11. ???
  12. google-public-dns-a.google.com              0.0%     4    6.3   5.7   5.2   6.3   0.5
  In the sessions on the routers, I see only this entry:
           Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
  Any other suggestions?

• Traditional ACL vs Zone Based FW

  I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config.  We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco.  Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with? 

  If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
  The choice is based on your comfort level, but both are viable options...
  BR,
  Cary
  Sent from Cisco Technical Support iPad App

• CSS Zone based DNS solution question

  I have a css at the main site configured as a stand alone unit at the moment.
  I have the advanced feature set and want to use our second CSS for a dynamic failover sceanario in the DR site.
  At the moment in the event of Internet access interruption of the Main site, the DR site is configured to advertise the main site Internet subnet out it's edge router to BGP.
  The DR edge router receives updates from the Main site edge router through everything end to end and distributes this into BGP.
  The DR PIX has static mappings to the main site servers.
  But this is only if the link drops and everything else is up.
  If the site gets wiped out, there is no failover plan.
  I am thinking this will be a problem if I set up the Zone Based DNS scenario.
  I have the CSS devices, is this a huge problem to work around?
  Any thoughts?

  Anyone? Gilles, any words of advice?
  I found this in the documentation for acl's, it states...
  "If you configure a CSS with the dns-server command, and the CSS receives a
  DNS query for a domain name that you configured on the CSS using the host
  command, the DNS query will not match on an ACL that is configured with the
  apply dns command.
  However, if you configure a domain name on a content rule on a CSS using the
  add dns domain_ name command, a DNS query for that domain name will match
  on an ACL that is configured with the apply dns command."
  The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command.

• CSS Zone based DNS for Site Redundancy?

  I am in the process of changing from rules based dns to zone based dns. I had used the document below to provide redundancy between 2 sites.
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
  The is an acl in the document which says
  "If the primary site is up, then this ACL will tell requests landing on this site to prefer the Primary site.
  clause 10 permit any any destination content owner_backup/WWW-backup prefer hacked_redirectt
  clause 99 permit any any destination any
  apply circuit-(VLAN1)
  apply dns
  Once I implemented a dns-server zone, this acl no longer has an effect. The requests are round robbining unless I set the dns-server zone to preferlocal. Unfortunately this does not solve my problem, if the main site is up both css's should prefer the main site.
  How is this same thing accomplished with zone based dns, or is it even possible? Thanks.

  Anyone? Gilles, any words of advice?
  I found this in the documentation for acl's, it states...
  "If you configure a CSS with the dns-server command, and the CSS receives a
  DNS query for a domain name that you configured on the CSS using the host
  command, the DNS query will not match on an ACL that is configured with the
  apply dns command.
  However, if you configure a domain name on a content rule on a CSS using the
  add dns domain_ name command, a DNS query for that domain name will match
  on an ACL that is configured with the apply dns command."
  The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command.

• Cisco Zone-based firewall issue/ not receiving return traffic

  Hi,
  I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
  I have two zone pairs: Internal to Outside and Outside to Internal.
  In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
  In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
  To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
  Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.

  Please share your config. Then we can see what's wrong there.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• The problem of function-based reuse

  I read the quoted text as follows from a book authored by a Microsoft developer. I googled and found a lots of quotes of it, but did not find any explanation.
  ============
  With languages like C, the basic unit of reuse is the function. The problem with function-based reuse is that the function is coupled to the data it manipulates. and if the data is global, a change to benefit one function in one reuse context damages another function used somewhere else.
  ============
  C uses libraries widely,which is of function-based reuse. Can anybody kindly give me a scenario when this problem happens?
  Java is typically object-based reuse, and I admit that my question is not a Java one. But I feel it would help to understand more about the concept or benefits of design of Java language. So, thank you to allow me to post this question here,
  Edited by: 799160 on Sep 30, 2010 12:38 PM
  Edited by: 799160 on Sep 30, 2010 12:57 PM

  This is what I got out of reading the quote you posted:
  I suppose something like the following could happen:
  You (being a general person) have been given a class to modify. You look at the code for the first time and it has a bunch of methods and some class variables in it. Some of the methods use the class variables. How can you be sure if you change the functionality to change a class variable in one method won't affect the other methods when they are used? This problem can be solved by learning what everything does, how it interacts and the correct way to use it. But then again, if you don't think about it and just make changes...Oops!
  Perhaps another abstract example would make sense:
  Imagine a calculator that could be used by 2 people at the same time? I bet it'd come up with some funny answers :)
  I wrote up a short example of this, hopefully it makes some sense:
  public class SuperBigProgram
       private int globalVar;
       public static void main ( String[] args )
            new SuperBigProgram();
       public SuperBigProgram()
            System.out.println("I'm a super big program.");
            globalVar = 0;
            //Let's pretend these series of events occur during the program:
            doItHighChanceActivity(); //1
            doItHighChanceActivity(); //2
            doItHighChanceActivity(); //3
            //Whoops super rare event occured!
            doesNotHappenALot();
            doItHighChanceActivity(); //4????    but is really 5.
        * This happens A LOT!
       private void doItHighChanceActivity ()
            superUtilityMethod();
            System.out.println("globalVar: " + globalVar);
        * This utility method does some awesome utility stuff for our Super Big Program.
        * This changes some global data.
       private void superUtilityMethod()
            globalVar++;
        * This does not happen a lot, if at all.
       private void doesNotHappenALot()
            //Hey I don't happen a lot but I'm reusing this really cool utility method that contains global data...
            //Code reuse for the win!
            superUtilityMethod();
  }Here is the output:
  I'm a super big program.
  globalVar: 1
  globalVar: 2
  globalVar: 3
  globalVar: 5
  Edited by: kilosi on Sep 30, 2010 1:22 PM

• Problem with File Based replication in Weblogic Express 10

  Hi,
            We have Web application (exploded war) file deployed on Weblogic Express 10, to a Cluster of three Managed Servers (all three on different physical machines).
            We are using File based session persistance in weblogic.xml
            We have a shared location for all the three servers where we will be sharing the Session data.
            When we start the application, its works fine and is very fast, but after sometime the application slows down.
            Troubleshooting the Issue we found that its a problem with file based replication. By using File based replication every user session is stored in form of directory inside shared directory. So after sometime thousands of directories are created inside the shared directory where the session information is stored. So when we access the application, its waiting for lot of time with Message Session Monitor .... (this is because its browsing through the shared session storage directory for lot of time for session information as it has lot of directories) and finally after a long time like 10 mins we get the Application Home Page.
            When we clean up all the saved sessions inside shared directory, the application works fine, But we will see the same sometime later may be after 3 or 4 hours when the shared session directory has lot of session information stored in it.
            Is there a way to clean up the saved session information on file system as soon as that user session is closed by using file based replication.
            We cannot used Inmemory replication as our Appl doesnt support it.
            Please advice as it is a major show stopper in our Production Mirror env.
            Weblogic Consultant

  It is possible to reduce number of live session by configuring very low timeout-secs weblogic.xml. Default is 60 minutes.
            More details are here..
            http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982
            Jayesh
            Yagna Sys

• Problem Creating VirtualProviders Based on the DTP

  Problem Creating VirtualProviders Based on the Data Transfer Process .
  (1) I have created an Data Source(extract structure and extractor) on SYS1. Tested the extractor. It returns data as desired.
  (2) Then I replicated this Data Source to SYS2.
  (3) In SYS1 I created InfoCube(VirtualProvider based on data transfer process for direct access) .
  Till this point I have no issues .
  (4) But after that I am not able to "Create Data Transfer Process"  for this Virtual Infoprovider . When I try to create DTP the DTP type available for selection is "Scheduled" where as per the documentation I need to create DTP of DTP type "DTP for Direct Access".This DTP type I donot see.
  Is it a problem with the BW configuration or some user error.Any suggestions which may help would be realy appreciated.
  Thanks & Regards,
  priyadarshi

  Corrected some typo in my earlier update...
  Problem Creating VirtualProviders Based on the Data Transfer Process .
  (1) I have created an Data Source(extract structure and extractor) on SYS1. Tested the extractor. It returns data as desired.
  (2) Then I replicated this Data Source to SYS2.
  (3) In SYS2 I created InfoCube(VirtualProvider based on data transfer process for direct access) .
  Till this point I have no issues .
  (4) But after that I am not able to "Create Data Transfer Process" for this Virtual Infoprovider . When I try to create DTP the DTP type available for selection is "Standard(Scheduled)" where as per the documentation I need to create DTP of DTP type "DTP for Direct Access".This DTP type I donot see.
  Is it a problem with the BW configuration or some user error.Any suggestions which may help would be realy appreciated.
  Thanks & Regards,
  priyadarshi

• Problem with replication based on materialized view

  Problem with replication based on materialized view...
  Given:
  1. Source: S-1
  2. Targets: T-1, T-2
  3. DB links: from T-1 to S-1, from T-2 to S-1
  Required replicate table TBL on S-1 to T-1, T-2 via db links.
  On S-1 was created materialized view log with PK on TBL. On T-1, T-2 were created mat.views as "on prebuilt table refresh fast on demand". In case of get "ORA-12034: materialized view log younger than last refresh" or initial load - perform complete refresh. Initial load on T-1 takes about 1 hour, on T-2 - about 12 hours. Refresh is executed via job with minutely interval. If refresh is running then it is not performed.
  Problem: after initial load on T-1 performs fast refresh, but on T-2 raised ORA-12034 and complete performs again.
  What's wrong?

  34MCA2K2, Google lover?
  I confess perhaps I gave a little info.
  View log was created before MV.
  It was the first initial load.
  No refresh failed.
  No DDL.
  No purge log.
  Not warehouse.
  There is no such behavior for MVs on another sites.
  P.S. I ask help someone who knows what's wrong or who faced with it or can me  follow by usefull link.
  P.P.S. It's a pity that there is no button "Useless answer"

• Problem in form based authentication

  Hi,
  I am encountering some problem in form based authentication.
  When I try to login for the first time. It reoute me to the image
  directory and not to the request page.
  When I try it for the second time, it shows
  "Form based authentication failed. Could not find session."
  And it always show this message no matter how many time I try.
  I am not sure is it something that I did not set ...
  Thanks for any advice.
  Eric

  Hi Eric,
  It may be a problem in your web.xml, I missed the "/" slash character
  in the web.xml's in <form-login-page> element. So your web.xml
  must look like

• Nearest time zones based on user time zone

  Hi,
  In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
  Please provide me some hints on how to sort the time zones based on the time zone offset.
  Thanks
  Aravind

  Hi,
  In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
  Please provide me some hints on how to sort the time zones based on the time zone offset.
  Thanks
  Aravind

• Look-up java time zone based on location?

  I have a test app where I can assign a java timezone and return time info - However, I don't see a way to look-up a java time zone based on location (combination of city/province/state/country).
  Is this possible?

  Has any one found a way to lookup a timezone based on a city/region in the world? So one could be able to type any city and state/province and country combination and get the corresponding timezone for that region. Is there a place where one can buy this data?
  Thank you

• Characterstics Assignment in Accounting Based COPA Config.

  HI,
  How to give Characterstics in Accounting Based COPA Config. and what is the TCode....
  regards
  JK

  Hi
  It is strongly recommended, however, that you do not activate both types of CO-PA. The
  major reason being is that you will have significant table size impacts. You must be careful
  with account based CO-PA as this creates additional line items in the existing CO tables of
  COEP (actual), COEJ (plan), COSP & COSS (summary records). Hence if you want to do any
  cost center reporting, say, from any of these existing tables you will run the risk that
  performance will be degraded by these additional and unnecessary records. 
  The only advantage of account based over costing based CO-PA is it's ability to
  automatically reconcile back to FI, in much the same manner as you would reconcile
  cost center accounting back to FI. However you don't have the flexibility in account
  based CO-PA to perform valuations using product cost estimates etc. as you do in
  costing based CO-PA. If the reason you were advised to turn on account based CO-PA
  as well as costing based was to facilitate reconciliation, it is suggested that you look
  at alternatives that won't have the same negative impacts that turning on account
  based would have. In addition to the serious table space issues, it is not that easy to
  turn on and off account based at will (especially in production).
  Instead what you should look at doing is creating a series of reports that enable you to
  reconcile costing based CO-PA back to CCA/PCA and FI, if this is required. The complexity
  of the costing based functionality you have used will determine the complexity of the
  reports that will be needed to reconcile back, but it can be done without turning on
  account based CO-PA.
  Regards

• GSLB Zone-Based DNS Payment Gw - Config Active-Active: Not Failing Over

  Hello All:
  Currently having a bit of a problem, have exhausted all resources and brain power dwindling.
  Brief:
  Two geographically diverse sites. Different AS's, different front ends. Migrated from one site with two CSS 11506's to two sites with one 11506 each.
  Flow of connection is as follows:
  Client --> FW Public Destination NAT --> CSS Private content VIP/destination NAT --> server/service --> CSS Source VIP/NAT --> FW Public Source NAT --> client.
  Using Load Balancers as DNS servers, authoritative for zones due to the requirement for second level Domain DNS load balancing (i.e xxxx.com, AND FQDNs http://www.xxxx.com). Thus, CSS is configured to respond as authoritative for xxxx.com, http://www.xxxx.com, postxx.xxxx.com, tmx.xxxx.com, etc..., but of course cannot do MX records, so is also configured with dns-forwarders which consequently were the original DNS servers for the domains. Those DNS servers have had their zone files changed to reflect that the new DNS servers are in fact the CSS'. Domain records (i.e. NS records in the zone file), and the records at the registrar (i.e. tucows, which I believe resells .com, .net and .org for netsol) have been changed to reflect the same. That part of the equation has already been tested and is true to DNS Workings. The reason for the forwarders is of course for things such as non load balanced Domain Names, as well as MX records, etc...
  Due to design, which unfortunately cannot be changed, dns-record configuration uses kal-ap, example:
  dns-record a http://www.xxxx.com 0 111.222.333.444 multiple kal-ap 10.xx.1.xx 254 sticky-enabled weightedrr 10
  So, to explain so we're absolutely clear:
  - 111.222.333.444 is the public address returned to the client.
  - multiple is configured so we return both site addresses for redundancy (unless I'm misunderstanding that configuration option)
  - kal-ap and the 10.xx.1.xx address because due to the configuration we have no other way of knowing the content rule/service is down and to stop advertising the address for said server/rule
  - sticky-enabled because we don't want to lose a payment and have it go through twice or something crazy like that
  - weighterr 10 (and on the other side weightedrr 1) because we want to keep most of the traffic on the site that is closer to where the bulk of the clients are
  So, now, the problem becomes, that the clients (i.e. something like an interac machine, RFID tags...) need to be able to fail over almost instantly to either of the sites should one lose connectivity and/or servers/services. However, this does not happen. The CSS changes it's advertisement, and this has been confirmed by running "nslookups/digs" directly against the CSSs... however, the client does not recognize this and ends up returning a "DNS Error/Page not found".
  Thinking this may have something to do with the "sticky-enabled" and/or the fact that DNS doesn't necessarily react very well to a TTL of "0".
  Any thoughts... comments... suggestions... experiences???
  Much appreciated in advance for any responses!!!
  Oh... should probably add:
  nslookups to some DNS servers consistently - ALWAYS the same ones - take 3 lookups before getting a reply. Other DNS servers are instant....
  Cheers,
  Ben Shellrude
  Sr. Network Analyst
  MTS AllStream Inc

  Hi Ben,
  if I got your posting right the CSSes are doing their job and do advertise the correct IP for a DNS-query right?
  If some of your clients are having a problem this might be related to DNS-caching. Some clients are caching the DNS-response and do not do a refresh until they fail or this timeout is gone.
  Even worse if the request fails you sometimes have to reset the clients DNS-demon so that they are requesting IP-addresses from scratch. I had this issue with some Unixboxes. If I remeber it corretly you can configure the DNS behaviour for unix boxes and can forbidd them to cache DNS responsed.
  Kind Regards,
  joerg