DNS Doctoring

In many network deployments, the DNS servers and DNS clients are located on different subnets which are connected through the security appliance, setup for address translation. This is illustrated in Figure 5-20. The web server (www.securemeinc.com) and the web clients are toward the inside network, whereas the DNS server is on the outside network. The real IP address of the server is 192.168.10.20 and the translated public address is 209.265.200.227.

Figure 5-20. DNS and NAT Without DNS Doctoring

The problem arises when a web client (Host A) tries to access the web server using its host name. In this scenario, the following sequence of events occurs:

1. Host A sends a request to the DNS server, inquiring about the IP address of the web server.
2. The source IP address is translated to 209.165.200.225 using dynamic PAT.
3. The DNS server replies with the translated IP address of the web server (209.165.200.227) as a type A DNS record.
4. The security appliance translates the destination IP address to 192.168.10.10 (Host A's IP address).
5. The client, not knowing that the web server is on the same subnet, tries to connect to the public IP address.
6. The security appliance drops the packets, because it does not allow packet redirection on the same interface.

The DNS doctoring feature of Cisco ASA inspects the data payload of the DNS replies and changes the type A DNS record (IP address sent by the DNS server) to an address specified in the NAT configuration. In Figure 5-21, the security appliance modifies the IP address in the payload from 209.165.200.227 to 192.168.10.20 (Step 4) before forwarding the DNS reply to the client. The client uses this address to connect to the web server.

Figure 5-21. DNS and NAT with DNS Doctoring

The DNS doctoring feature can be enabled by adding the dns keyword to the static and/or nat commands that are translating the real IP address of the server. In Example 5-44, a static NAT entry is set up to translate a real IP address from 192.168.10.20 to a global IP address, 209.165.200.227. The dns keyword is specified to enable DNS doctoring for this server.

Example 5-44. Configuration of DNS Doctoring

Chicago(config)# static (inside,outside) 209.165.200.227 192.168.10.20 netmask

 255.255.255.255 dns

Note

The security appliance also supports DNS doctoring using the alias command. However, the recommended method is to use DNS doctoring with static and nat commands, because the alias command will be deprecated in the future.

DNS doctoring can also be set up for the outside NAT connections. This is useful in deployments where the DNS server and the content (such as web or e-mail) server reside on the outside network and the clients are located on the inside network, as shown in Figure 5-22.

Figure 5-22. DNS Doctoring for Outside NAT

The following sequence of events takes place when a host on the inside network connects to a web server on the outside network:

1. Host A sends a DNS query to the server to resolve www.securemeinc.com.
2. The security appliance translates the source IP address to 209.165.200.225 before forwarding the packet to the DNS server.
3. The DNS server replies with the IP address of the web server, 209.165.201.20, in the data payload.
4. The security appliance changes the embedded IP address to 192.168.10.20 before it forwards the reply to Host A.
5. The client sends a TCP SYN packet to connect to the web server using as the destination IP address 192.168.10.20.
6. As the packet passes through, the security appliance changes the destination IP address to 209.165.201.20. The packet gets routed to the Internet before it reaches the web server.

Example 5-45 shows the respective configuration of the security appliance to enable DNS doctoring for outside NAT.

Example 5-45. Configuration of DNS Doctoring for Outside NAT

Chicago(config)# static (outside,inside) 192.168.10.20 209.165.201.20 netmask

 255.255.255.255 dns