37-3
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 37 Configuring Inspection of Basic Internet Protocols
DNS Inspection
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages
originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the
A-record is not translated.
As long as DNS inspection remains enabled, you can configure DNS rewrite using a NAT rule.
DNS Rewrite performs two functions:
• Translating a public address (the routable or “mapped” address) in a DNS reply to a private address
(the “real” address) when the DNS client is on a private interface.
• Translating a private address to a public address when the DNS client is on the public interface.
In Figure 37-1, the DNS server resides on the external (ISP) network The real address of the server
(192.168.100.1) has been mapped using the static command to the ISP-assigned address
(209.165.200.5). When a web client on the inside interface attempts to access the web server with the
URL http://server.example.com, the host running the web client sends a DNS request to the DNS server
to resolve the IP address of the web server. The adaptive security appliance translates the non-routable
source address in the IP header and forwards the request to the ISP network on its outside interface.
When the DNS reply is returned, the adaptive security appliance applies address translation not only to
the destination address, but also to the embedded IP address of the web server, which is contained in the
A-record in the DNS reply. As a result, the web client on the inside network gets the correct address for
connecting to the web server on the inside network.
Figure 37-1 Translating the Address in a DNS Reply (DNS Rewrite)
DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface.
Configuring DNS Rewrite
You configure DNS rewrite using the NAT configuration.
Figure 37-2 provides a more complex scenario to illustrate how DNS inspection allows NAT to operate
transparently with a DNS server with minimal configuration.
132406
Web server
server.example.com
192.168.100.1
Web client
http://server.example.com
192.168.100.2
ISP Internet
DNS server
server.example.com IN A 209.165.200.5
Security appliance
192.168.100.1IN A 209.165.200.5
To Next Page
Loading...
Need help?
General
