Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
4
Helpful
2
Replies

DNS Doctoring - ASA 5510

leandro.candido
Level 1
Level 1

‎05-12-2009 08:34 PM - edited ‎03-11-2019 08:31 AM

Hi,

I have a situation. I have a scenario that a inside host network is reached by url www.abcd.com, but the internal dns dosen't resolve this name and it trys resolve with ip public registred on internet.

I understood that I need to use the DNS KEYWORD (DOCTOR OR REWRITE)to solve this. However, I am using the static pat and I don't know if I use the dns keyword with in static pat, will work or not it.

Do you if is there some alternative mode to resolve this case, if the keyword dosen't work with static pat?

Thanks

Labels:
0 Helpful
2 Replies 2

hasmurizal
Level 1
Level 1

‎05-13-2009 12:11 AM

hi

does the web server hosting inside your network? or is it outside hosting? not sure what your exact problem but is your DNS server funtionally working?

on the ASA have you open ort UDP53?

0 Helpful

sachinga.hcl
Level 4
Level 4
In response to hasmurizal

‎05-13-2009 02:58 AM

Hi Lenardo,

HI Dear,

Have you checked if DNS inspection enabled.

Please remember DNS inspection must be enabled in order to perform DNS doctoring on the security appliance. DNS inspection is on by default. However, if it has been turned off, please re-enable it first of all.

Also note that DNS doctoring is enabled when you add the dns keyword to a static NAT statement.

As you know that In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client(suppose it is Public IP in your case it is 192.168.x.y) as DNS server is outide the LAN.

While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.

In this scenario, the client is located on the inside interface of the ASA(192.168.x.y). The WWW server that the client tries to reach is located on the dmz interface of the ASA(10.10.x.y).

Dynamic PAT is configured to allow the client access to the Internet. Not from intenet to inside remember.

Static NAT with an access-list is configured to allow the server access to the Internet, as well as allow Internet hosts to access the WWW server.

In this case, the client at 192.168.x.y wants to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at Routable IP addresses which you have assigned to the outside/WAN interface I think 40.40.40.78 or something in this range.

. Because the DNS server is located on another public network, it does not know the private IP address of the WWW server(something in the range 10.10.x.y or I think 10.10.10.10). Instead, it knows the WWW server mapped address of wan range ie. 40.40.40.x or something like this.

Thus, the DNS server contains the IP-address-to-name mapping of server.example.com to 40.40.40.x.

Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of WWW server using its name , it is unable to access the WWW server. This is because the client receives an A-record that contains the mapped public address of 40.40.40.x for the WWW server. When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.

So make smoe classmaps(kind of traffic of your interest) , policy maps(what action you want to take on this class map interseted traffic) and then apply policymaps to service-policy(attach it to the interface).

Here is an example as follows:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Kindly find the reference document for 3 interfaces as follows:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope your problem resolve this time.

It would be much better if you can share your config so that I Can find the exactly what is missing or incorrectly configured.

Kindly rate if it works for you.

Best Regards,

Sachin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card