DNS Doctoring

In many network deployments, the DNS servers and DNS clients are located on different subnets which are connected through the security appliance, setup for address translation. This is illustrated in Figure 5-20. The web server (www.securemeinc.com) and the web clients are toward the inside network, whereas the DNS server is on the outside network. The real IP address of the server is and the translated public address is

Figure 5-20. DNS and NAT Without DNS Doctoring

The problem arises when a web client (Host A) tries to access the web server using its host name. In this scenario, the following sequence of events occurs:

  1. Host A sends a request to the DNS server, inquiring about the IP address of the web server.
  2. The source IP address is translated to using dynamic PAT.
  3. The DNS server replies with the translated IP address of the web server ( as a type A DNS record.
  4. The security appliance translates the destination IP address to (Host A's IP address).
  5. The client, not knowing that the web server is on the same subnet, tries to connect to the public IP address.
  6. The security appliance drops the packets, because it does not allow packet redirection on the same interface.

The DNS doctoring feature of Cisco ASA inspects the data payload of the DNS replies and changes the type A DNS record (IP address sent by the DNS server) to an address specified in the NAT configuration. In Figure 5-21, the security appliance modifies the IP address in the payload from to (Step 4) before forwarding the DNS reply to the client. The client uses this address to connect to the web server.

Figure 5-21. DNS and NAT with DNS Doctoring

The DNS doctoring feature can be enabled by adding the dns keyword to the static and/or nat commands that are translating the real IP address of the server. In Example 5-44, a static NAT entry is set up to translate a real IP address from to a global IP address, The dns keyword is specified to enable DNS doctoring for this server.

Example 5-44. Configuration of DNS Doctoring

Chicago(config)# static (inside,outside) netmask dns


The security appliance also supports DNS doctoring using the alias command. However, the recommended method is to use DNS doctoring with static and nat commands, because the alias command will be deprecated in the future.

DNS doctoring can also be set up for the outside NAT connections. This is useful in deployments where the DNS server and the content (such as web or e-mail) server reside on the outside network and the clients are located on the inside network, as shown in Figure 5-22.

Figure 5-22. DNS Doctoring for Outside NAT

The following sequence of events takes place when a host on the inside network connects to a web server on the outside network:

  1. Host A sends a DNS query to the server to resolve www.securemeinc.com.
  2. The security appliance translates the source IP address to before forwarding the packet to the DNS server.
  3. The DNS server replies with the IP address of the web server,, in the data payload.
  4. The security appliance changes the embedded IP address to before it forwards the reply to Host A.
  5. The client sends a TCP SYN packet to connect to the web server using as the destination IP address
  6. As the packet passes through, the security appliance changes the destination IP address to The packet gets routed to the Internet before it reaches the web server.

Example 5-45 shows the respective configuration of the security appliance to enable DNS doctoring for outside NAT.

Example 5-45. Configuration of DNS Doctoring for Outside NAT

Chicago(config)# static (outside,inside) netmask dns

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net