Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS Doctoring

Does anyone know if DNS doctoring is supported in the newer 8.3 code?  It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.

nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_21.21.24.24 dns

thank you,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DNS Doctoring

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

6 REPLIES
Cisco Employee

Re: DNS Doctoring

Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?

BeforeASA 8.3
DNS rewrite

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

 object network obj-192.168.100.10
   host 192.168.100.10
   nat (inside,outside) static 172.20.1.10 dns

-KS

New Member

Re: DNS Doctoring

I have DNS inspection occurring at the global policy, and the traffic should be running across the ASA.  I changed the dns keyword to include it in object nat, but no change.

object network COMM-USWEB_192.168.10.18
nat (inside,outside) static 21.21.24.24 dns

object network COMM-USAIGWEB_192.168.10.18
host 192.168.10.18

Cisco Employee

Re: DNS Doctoring

Make sure the dns traffic is going through this ASA.

cap capin int inside match udp ho 192.168.10.18 any eq 53

cap capout interface outside match udp ho 21.21.24.24 any eq 53

sh cap capin

sh cap capout

-KS

New Member

Re: DNS Doctoring

it looks like the traffic is not crossing the asa.  I don't understand that though.  I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry.  So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix.  Why wouldn't the DNS traffic be crossing the ASA?  My access list on the inside interface allows both tcp and udp dns.

New Member

Re: DNS Doctoring

I found the acl that was blocking it, on a router between the host and firewall, made a change and it's working now.  Thank you very much.

Cisco Employee

Re: DNS Doctoring

Very glad to hear.  Capture for the win - yet again !

I shoud have given capture syntax for all other dns resoltuion. My bad.

cap capin int inside match udp any any eq 53

cap capout int outside match udp any any eq 53

sh cap capin

sh cap capout

-KS

2280
Views
5
Helpful
6
Replies