DNS Doctoring

Answered Question
Aug 9th, 2010

Does anyone know if DNS doctoring is supported in the newer 8.3 code?  It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.

nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_21.21.24.24 dns

thank you,

Bill

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 5 months ago

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kureli Sankar Mon, 08/09/2010 - 08:22

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

WILLIAM STEGMAN Mon, 08/09/2010 - 08:43

I have DNS inspection occurring at the global policy, and the traffic should be running across the ASA.  I changed the dns keyword to include it in object nat, but no change.

object network COMM-USWEB_192.168.10.18
nat (inside,outside) static 21.21.24.24 dns

object network COMM-USAIGWEB_192.168.10.18
host 192.168.10.18

Kureli Sankar Mon, 08/09/2010 - 09:44

Make sure the dns traffic is going through this ASA.

cap capin int inside match udp ho 192.168.10.18 any eq 53

cap capout interface outside match udp ho 21.21.24.24 any eq 53

sh cap capin

sh cap capout

-KS

WILLIAM STEGMAN Mon, 08/09/2010 - 10:22

it looks like the traffic is not crossing the asa.  I don't understand that though.  I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry.  So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix.  Why wouldn't the DNS traffic be crossing the ASA?  My access list on the inside interface allows both tcp and udp dns.

WILLIAM STEGMAN Mon, 08/09/2010 - 10:38

I found the acl that was blocking it, on a router between the host and firewall, made a change and it's working now.  Thank you very much.

Kureli Sankar Mon, 08/09/2010 - 10:57

Very glad to hear.  Capture for the win - yet again !

I shoud have given capture syntax for all other dns resoltuion. My bad.

cap capin int inside match udp any any eq 53

cap capout int outside match udp any any eq 53

sh cap capin

sh cap capout

-KS

Actions

This Discussion