In many network deployments, the DNS servers and DNS clients are located on different subnets which are connected through the security appliance, setup for address translation. This is illustrated in Figure 5-20. The web server (www.securemeinc.com) and the web clients are toward the inside network, whereas the DNS server is on the outside network. The real IP address of the server is 192.168.10.20 and the translated public address is 209.265.200.227.
Figure 5-20. DNS and NAT Without DNS Doctoring
The problem arises when a web client (Host A) tries to access the web server using its host name. In this scenario, the following sequence of events occurs:
The DNS doctoring feature of Cisco ASA inspects the data payload of the DNS replies and changes the type A DNS record (IP address sent by the DNS server) to an address specified in the NAT configuration. In Figure 5-21, the security appliance modifies the IP address in the payload from 188.8.131.52 to 192.168.10.20 (Step 4) before forwarding the DNS reply to the client. The client uses this address to connect to the web server.
Figure 5-21. DNS and NAT with DNS Doctoring
The DNS doctoring feature can be enabled by adding the dns keyword to the static and/or nat commands that are translating the real IP address of the server. In Example 5-44, a static NAT entry is set up to translate a real IP address from 192.168.10.20 to a global IP address, 184.108.40.206. The dns keyword is specified to enable DNS doctoring for this server.
Example 5-44. Configuration of DNS Doctoring
Chicago(config)# static (inside,outside) 220.127.116.11 192.168.10.20 netmask 255.255.255.255 dns
The security appliance also supports DNS doctoring using the alias command. However, the recommended method is to use DNS doctoring with static and nat commands, because the alias command will be deprecated in the future.
DNS doctoring can also be set up for the outside NAT connections. This is useful in deployments where the DNS server and the content (such as web or e-mail) server reside on the outside network and the clients are located on the inside network, as shown in Figure 5-22.
Figure 5-22. DNS Doctoring for Outside NAT
The following sequence of events takes place when a host on the inside network connects to a web server on the outside network:
Example 5-45 shows the respective configuration of the security appliance to enable DNS doctoring for outside NAT.
Example 5-45. Configuration of DNS Doctoring for Outside NAT
Chicago(config)# static (outside,inside) 192.168.10.20 18.104.22.168 netmask 255.255.255.255 dns