topic DNS NAT in Network Security

DNS NAT

dhinesh_83 — Tue, 12 Mar 2019 05:55:45 GMT

Hi Team,

I would like to know the procedure or any documents how to create a nat rule for DNS.And also explain me what is DNS nat and which sceanrio we need to implement the DNS nat.

Please confirm the DNS nat and DNS ALG are same?

This is probably what you are

Karsten Iwen — Wed, 13 May 2015 13:31:23 GMT

This is probably what you are looking for if you are interested in the ASA:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

DNS NAT is a function that could be implemented on a DNS ALG, but they are not automatically the same.

Thank you very much for the

dhinesh_83 — Thu, 14 May 2015 12:27:11 GMT

Thank you very much for the update.

Do you have any procedure/Document how to implement the DNS NAT in cisco router.

Hi Karsten, Please

dhinesh_83 — Mon, 18 May 2015 11:14:24 GMT

Hi Karsten,

Please share me any sample configuration for DNS NAT in Cisco.

A config sample is in the

Karsten Iwen — Mon, 18 May 2015 11:19:34 GMT

A config sample is in the above link.

Thanks for the update.Can you

dhinesh_83 — Mon, 18 May 2015 12:55:46 GMT

Thanks for the update.Can you please help me the configuration for the below setup

Please find the attached setup for your reference.

When user in A network tries to access one of the server(abc.com) in B network via hostname.The packet first hit the A N/W DNS for requsting the abc.com ip address.Again they will forward the requset to B N/W DNS for the ip address.They retrun back the ip address say example(10.1.1.5) for respective hostname.But we have the 10.1.1.0/24 already using in A N/W.In that case we need to do the nat in the firewall. How we implement the DNS NAT in the Cisco ASA firewall.

Can you please share the configuration how to implement this setup.

It's a homework, isn't it

Karsten Iwen — Mon, 18 May 2015 13:40:05 GMT

It's a homework, isn't it?

There are multiple problems in that task:

1) Translating DNS-replys is not enough. You also need to translate the 10.1.1.0 network in both directions (Double-NAT).

2) The next part is that DNS-replies need to resolve to a different address. This is exactly an scenario in the referenced link which doesn't work easily on the ASA. For that, DNS-views can be configured on the DNS-server. With DNS-views, the server returns different A-records based on the source-IP of the query.

Thanks for the inputs karsten

dhinesh_83 — Mon, 18 May 2015 16:36:32 GMT

Thanks for the inputs karsten.

I understand the first step you mentioned we need to do the NAT in both directions.

Second step is very hard to understand to proceed.Reference link which you gave also not clear to do the config.

I will prepare the config and share you the same to you.Please review.

Please find below the config

dhinesh_83 — Mon, 18 May 2015 17:29:00 GMT

Please find below the config for your review.Please correct me if am wrong.The DNS NAT config is highlighted.My requirement is when user is access the server via hostname 192.168.1.5(abc.com) it should be natted to 10.10.20.5.

hostname ASA1
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address y.y.y.y 255.255.255.252
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
object network inside-mapped-network
subnet 10.10.10.0 255.255.255.0
!
object network inside-real-network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static inside-mapped-network
!
access-list CRYPTO_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!
route outside 10.10.20.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer 41.1.1.2
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!

hostname ASA2
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address Y.Y.Y.Y 255.255.255.252
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
object network inside-mapped-network
subnet 10.10.20.0 255.255.255.0
!
object network inside-real-network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static inside-mapped-network
!
nat (inside,outside) source static 192.168.1.5 10.10.20.5 dns
!
policy-map global_policy
class inspection_default
inspect dns
!
access-list CRYPTO_ACL extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
route outside 10.10.10.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer Y.Y.Y.Y
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!