08-09-2010 08:11 AM - edited 03-11-2019 11:22 AM
Does anyone know if DNS doctoring is supported in the newer 8.3 code? It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.
nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_21.21.24.24 dns
thank you,
Bill
Solved! Go to Solution.
08-09-2010 08:22 AM
Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?
Before | ASA 8.3 |
---|---|
DNS rewrite static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns | object network obj-192.168.100.10 |
-KS
08-09-2010 08:22 AM
Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?
Before | ASA 8.3 |
---|---|
DNS rewrite static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns | object network obj-192.168.100.10 |
-KS
08-09-2010 08:43 AM
I have DNS inspection occurring at the global policy, and the traffic should be running across the ASA. I changed the dns keyword to include it in object nat, but no change.
object network COMM-USWEB_192.168.10.18
nat (inside,outside) static 21.21.24.24 dns
object network COMM-USAIGWEB_192.168.10.18
host 192.168.10.18
08-09-2010 09:44 AM
Make sure the dns traffic is going through this ASA.
cap capin int inside match udp ho 192.168.10.18 any eq 53
cap capout interface outside match udp ho 21.21.24.24 any eq 53
sh cap capin
sh cap capout
-KS
08-09-2010 10:22 AM
it looks like the traffic is not crossing the asa. I don't understand that though. I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry. So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix. Why wouldn't the DNS traffic be crossing the ASA? My access list on the inside interface allows both tcp and udp dns.
08-09-2010 10:38 AM
I found the acl that was blocking it, on a router between the host and firewall, made a change and it's working now. Thank you very much.
08-09-2010 10:57 AM
Very glad to hear. Capture for the win - yet again !
I shoud have given capture syntax for all other dns resoltuion. My bad.
cap capin int inside match udp any any eq 53
cap capout int outside match udp any any eq 53
sh cap capin
sh cap capout
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: