topic Well, we can do that but it in Network Security

DNS Doctoring..ish

GRANT3779 — Tue, 12 Mar 2019 09:20:07 GMT

I am looking to achieve the following -

Internal Client with Internal address but Public DNS server.

The default GW of Internal client is an ASA.

Is there a way for the ASA to "Intercept" the DNS lookup of a certain FQDN (e.g Guest.company.com) which is only resolvable via my internal dns servers and forward this request to one of these servers?

DNS doctoring seems to look at return IP addresses from public DNS servers and then do some magic based on that. I need to have the ASA recognise a FQDN within an initial DNS request and send that request to an Internal server.

Hello,

Ajay Saini — Tue, 09 May 2017 16:00:16 GMT

Hello,

you question is not clear. Could you please give an example with ip addresses and that would make it more clear. Like who is client(source), where is web server(public ip and real ip) and where is the dns server etc,

-AJ

Scenario I would be using

GRANT3779 — Tue, 09 May 2017 16:10:06 GMT

Scenario I would be using this - (ISE/CWA)

Client connects to Guest SSID

Client receives Public DNS Servers as part of its DHCP config.

As part of my ISE policy, client will ultimately receive a CWA URL which is only resolvable by my Internal DNS servers

Client will do a DNS lookup for that URL which will be sent to the clients Public DNS servers (this traffic will traverse the ASA as it is the clients GW)

I want the ASA to be able to intercept this DNS request before it goes outside and to direct it to my Internal DNS.

I know there I can use IP in the CWA redirect but this is something I prefer not to do. I would like to achieve the above if possible.

Well, we can do that but it

Ajay Saini — Tue, 09 May 2017 16:23:06 GMT

Well, we can do that but it would not be conditional. It will redirect all the requests going to external dns server to internal dns server. We will have to create a static NAT something like:

nat (inside,inside) source dynamic any interface destination static obj-1.1.1.1 obj-2.2.2.2

where obj-1.1.1.1 is the internal dns server ip address

obj-2.2.2.2 is the external dns server ip address

we are creating this dummy nat entry so that when traffic comes to inside interface for 2.2.2.2(external dns server), the source gets translated to inside interface and destination gets unNATED to 1.1.1.1(internal dns server. The reason for PATing the source address is to ensure that reply packet comes to ASA and there is no asymetric routing. Since this is UDP traffic, I believe it should work without the source NAT as well but try it with source first if there is no issue.

**try to add this NAT at line 1. We would want to make sure that this takes preference.

also, add below command to allow u-turn:

same-security-traffic permit intra-interface

HTH

-AJ

When you create CWA

Ashish Jhaldiyal — Tue, 09 May 2017 17:44:04 GMT

When you create CWA authorization policy there is a option to assign static IP/Host name/FQDN, You can send IP of your PSN server or Load balancer. So client will get an IP in URL in place of domain name.

Attach is the screenshot.

If you have SourceFire module

Ashish Jhaldiyal — Tue, 09 May 2017 18:09:54 GMT

If you have SourceFire module on your ASA firewall you can use an option called Sinkhole and achieve this.

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01011101.html#concept_FFB4BE7AF2914BAD9CFF278BCCBC523C

Hi Grant,

alessandro.s — Wed, 17 May 2017 07:18:10 GMT

Hi Grant,

i solved this issue in this way :

My CWA url is somethng like guest@mycomain.com so i asked my isp to publish this DNS record to a public ip address, obviously from my own public addresses, let's say this address is 1.1.1.1. So guest users obtaining public DNS servers are now resolving guest@mycomain.com with ip 1.1.1.1 but Guest page is not really published so is not reachable from outside, and is is somwething we want to do!

Then i configured DNS doctoring as per this link :

https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

and all is fine!

You can also use public ip addresses not directly connected to your ASA firewall.

Hope this helps,

Regards