@ebreniz wrote:
This document provides a sample configuration to perform Domain Name System (DNS) doctoring on the ASA 5500 Series Adaptive Security Appliance or PIX 500 Series Security Appliance that uses static Network Address Translation (NAT) statements. DNS doctoring allows the security appliance to rewrite DNS A-records.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Your response is, unfortunately, not helpful for the question asked. Lora had asked specifically about inspection on DNS zone transfers. I have the same problem/question. We know DNS rewrite works for DNS queries, but can it work for whole zone transfers? I just started using a cloud DNS service, with my internal DNS servers as the primary where the cloud DNS receives the zone data from. Since they're internal, they have internal IPs in them, and the ASA translates them to the public IPs when people outside our intranet query our DNS servers. But I just had two whole domains go down, because I didn't notice that, when the zone transfer was performed, the IPs didn't get translated. So when we kicked over to the cloud DNS for DNS on those domains, everything went dead. Is there a way to get actual zone transfers translated, or do we need to keep whole separate copies of our DNS zones for the outside again, essentially undoing the benefits of the DNS rewriting the ASA does? From the documentation at https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_basic.html#wp1335632 it seems to indicate it's done for A records, but doesn't mention zone transfers, so that's why we're wondering.
