cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2932
Views
5
Helpful
6
Replies

DNS Doctoring

WILLIAM STEGMAN
Level 4
Level 4

Does anyone know if DNS doctoring is supported in the newer 8.3 code?  It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.

nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_21.21.24.24 dns

thank you,

Bill

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

View solution in original post

6 Replies 6

Kureli Sankar
Cisco Employee
Cisco Employee

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

I have DNS inspection occurring at the global policy, and the traffic should be running across the ASA.  I changed the dns keyword to include it in object nat, but no change.

object network COMM-USWEB_192.168.10.18
nat (inside,outside) static 21.21.24.24 dns

object network COMM-USAIGWEB_192.168.10.18
host 192.168.10.18

Make sure the dns traffic is going through this ASA.

cap capin int inside match udp ho 192.168.10.18 any eq 53

cap capout interface outside match udp ho 21.21.24.24 any eq 53

sh cap capin

sh cap capout

-KS

it looks like the traffic is not crossing the asa.  I don't understand that though.  I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry.  So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix.  Why wouldn't the DNS traffic be crossing the ASA?  My access list on the inside interface allows both tcp and udp dns.

I found the acl that was blocking it, on a router between the host and firewall, made a change and it's working now.  Thank you very much.

Very glad to hear.  Capture for the win - yet again !

I shoud have given capture syntax for all other dns resoltuion. My bad.

cap capin int inside match udp any any eq 53

cap capout int outside match udp any any eq 53

sh cap capin

sh cap capout

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: