Cisco ASA DNS Doctoring (DNS rewrite)

A couple of days ago we had an issue with a client that has a Cisco ASA that connects their INSIDE VLAN and GUEST VLAN networks out to the Internet. (the guest VLAN is connected as a DMZ interface on the ASA) The GUEST interface is strictly for guests to get Internet access and for security reasons clients connected to it were not allowed to connect to anything on the inside. They host their own email server on the INSIDE interface and they have clients (in particular WiFi iPhones) that connect to the GUEST network to access the outside world. The problem they ran into is that they had a lot of WiFi iPhone users that use the GUEST wireless connection, but while connected to the GUEST wireless they were unable to retrieve their email (from the mail server on the INSIDE interface). We edited the access list to allow the proper ports between the GUEST and INSIDE networks and email started to work, but only accessing by IP. Name resolution was not working. The GUEST network used public DNS servers and those DNS servers were resolving the DNS name lookup to the public IP address of their mail server, which was failing. We could have gone through the trouble of allowing DNS queries to their internal DNS servers and solved the issue but instead we used the “DNS Doctoring” function of the Cisco ASA. Here’s an example static address mapping with DNS Doctoring (the IPs have been changed to protect the innocent):

static (inside,outside) 10.58.180.10 172.16.0.22 netmask 255.255.255.255 dns

The “dns” tag on the end prompts the ASA to inspect any reply of a DNS query and if it sees the OUTSIDE (public) address it rewrites it with the INSIDE (private) address. You must also have DNS inspection turned on. See Cisco configuration example here

-Go0se

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>