topic DNS Doctoring Question in Network Security

DNS Doctoring Question

rsaeks — Tue, 12 Mar 2019 02:20:29 GMT

Hi there,

We are using an ASA5100 on 8.2(5). I'm trying to look at granting access to our internal webserver to those connected to our guest network using an external DNS server. I've enabled DNS inspection but can't seem to get the doctoring setup going for our device. We are using three of the four interfaces as follows:

outside interface (connected to our ISP with a public IP)

inside interface (172.20.1.2 connected to our 3750 Gig1/0/2 with IP 172.20.1.1)

guest_inet interface (10.2.1.1 connected to 3750 Gig2/0/2 tagged VLAN 999)

The 3750 device connects to our local 192.168.x.x network.

Wireless guests are in the 10.2.1.0/24 subnet and use an external DNS. External clients are able to resolve our web server to the public IP address 63.236.246.66 and NAT successfully directs them to the internal address 192.168.40.40.

I've enabled the DNS doctoring option on the static NAT entry on the inside interface but that didn't have an effect when running a dig hostname on a client connected to the guest subnet. Do I need to put in a different NAT entry on the guest_inet interface?

Thanks!

DNS Doctoring Question

Marius Gunnerud — Fri, 02 Aug 2013 07:38:58 GMT

Did you add an ACL inbound on the Guest interface permitting 10.2.1.0/24 access to 192.168.40.40? Keep in mind that DNS doctoring substitutes the public IP of the server with the private IP so the host will be sending traffic to the private IP of the server.

Re: DNS Doctoring Question

turbo_engine26 — Fri, 02 Aug 2013 12:29:25 GMT

Hi,

Make sure a host in the guest subnet can access the web server locally in the first place. This can be done by using Identity NAT from the guest_inet interface to the interface that subnet 192.168.40.0 is located. Once verified, you can then test the access using the web server's public address. I am not sure if you want to add an ACL or not and this depends on the security level of the guest subnet interface.

DNS Rewrite (or Doctoring) is working by replacing the web server's public IP with its private IP in the DNS reply using the information found in the static NAT command.

Regards,

DNS Doctoring Question

rsaeks — Mon, 05 Aug 2013 17:01:58 GMT

I've put in a rule to allow access. When running a packettrace command from the guest_inet interface with source 10.2.1.165 to 192.168.40.40 it displays the following with a packet dropped action:

nat (inside) 1 192.168.0.0 255.255.0.0

match ip inside 192.168.0.0 255.255.0.0 guest_inet any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

DNS Doctoring Question

Marius Gunnerud — Tue, 06 Aug 2013 07:08:36 GMT

Could you please post the full output of the packet tracer including the command used.

Also include a full configuration of the ASA (change public IPs and any other sensitive information such as passwords and usernames if required)

DNS Doctoring Question

rsaeks — Fri, 09 Aug 2013 04:06:56 GMT

Here is our config with some items masked / removed:

Result of the command: "sh run"

: Saved

ASA Version 8.2(5)

hostname GCS-FW-INTERNET

no names

name X.199 WiFi_Guest

name 192.168.48.55 GSSPRES01

dns-guard

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address X.6 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.20.1.2 255.255.255.0

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 50

ip address 10.1.1.1 255.255.255.0

interface Ethernet0/3

nameif guest_inet

security-level 10

ip address 10.2.1.1 255.255.255.0

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name glencoeschools.org

same-security-traffic permit intra-interface

access-list internet_in extended permit tcp any host X.65 eq www

access-list internet_in extended permit tcp any host X.66 eq www

access-list internet_in extended permit tcp any host X.69 eq www

access-list internet_in extended permit tcp any host X.70 eq www

access-list internet_in extended permit tcp any host X.71 eq www

access-list internet_in extended permit tcp any host X.72 eq www

access-list internet_in extended permit tcp any host X.73 eq www

access-list internet_in extended permit tcp any host X.74 eq www

access-list internet_in extended permit tcp any host X.75 eq www

access-list internet_in extended permit tcp any host X.76 eq www

access-list internet_in extended permit tcp any host X.76 eq https

access-list internet_in extended permit tcp any host X.80 eq www

access-list internet_in extended permit tcp any host X.81 eq www

access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0

access-list internet_in extended permit ip 172.16.48.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list internet_in extended permit ip 172.16.48.0 255.255.255.240 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.145 192.168.0.0 255.255.0.0

access-list internet_in extended permit tcp 10.2.1.0 255.255.255.0 any eq domain inactive

access-list internet_in extended permit tcp any 10.2.1.0 255.255.255.0 eq domain inactive

access-list internet_in extended permit icmp any any inactive

access-list internet_in extended permit ip host X.210 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.9 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip 172.16.56.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.218 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.48.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.56.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 X.144 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.156

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.145

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.210

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.249

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.218

access-list outside_cryptomap extended permit ip any 172.20.1.0 255.255.255.0

access-list outside_access_out extended deny tcp any any eq 82

access-list outside_access_out extended permit ip any any

access-list Glencoe standard permit 192.168.0.0 255.255.0.0

access-list guest_inet_access_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 1040000

logging monitor debugging

logging buffered debugging

logging asdm notifications

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu guest_inet 1500

mtu management 1500

ip local pool VPN_Pool 172.20.1.10-172.20.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

nat (guest_inet) 1 10.2.1.0 255.255.255.0

static (inside,outside) tcp X.65 www 192.168.40.36 www netmask 255.255.255.255

static (inside,outside) tcp 6.78 https 192.168.40.8 https netmask 255.255.255.255

static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255

static (inside,outside) X.73 192.168.40.44 netmask 255.255.255.255

static (inside,outside) X.74 192.168.40.46 netmask 255.255.255.255

static (inside,outside) X.76 192.168.40.38 netmask 255.255.255.255

static (inside,outside) X.71 192.168.40.42 netmask 255.255.255.255

static (inside,outside) X.70 192.168.40.41 netmask 255.255.255.255

static (inside,outside) X.72 192.168.40.43 netmask 255.255.255.255 dns

access-group internet_in in interface outside

access-group outside_access_out out interface outside

access-group guest_inet_access_in in interface guest_inet

router eigrp 7159

no auto-summary

network X.144 255.255.255.240

network 172.20.1.0 255.255.255.0

network 192.168.40.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 X.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.40.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

snmp-server host inside 192.168.40.200 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

class-map inspection_default

policy-map global_policy

class inspection_default

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8ef56df1de9dd36f9dcff934d746ff65

: end

Packet Tracer is:

GCS-FW-INTERNET# packet-tracer input guest_inet tcp 10.2.1.90 1069 192.168.40.40 http

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.40.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group guest_inet_access_in in interface guest_inet

access-list guest_inet_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (guest_inet) 1 10.2.1.0 255.255.255.0

match ip guest_inet 10.2.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (X.146 [Interface PAT])

translate_hits = 70348, untranslate_hits = 3530

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 192.168.0.0 255.255.0.0

match ip inside 192.168.0.0 255.255.0.0 guest_inet any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Result:

input-interface: guest_inet

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Since it is a long post: I'm trying to have a device on our guest wireless subnet (10.2.1.0/24) access one of our webservers at 192.168.40.40 I'm pretty confidant once the syntax is setup for allowing this one host I can change it to match the others.

Thanks everyone for the info so far!

DNS Doctoring Question

Marius Gunnerud — Fri, 09 Aug 2013 06:55:38 GMT

First off the NAT statement for 192.168.40.40 is not configured for DNS doctoring. Add the dns keyword at the end of the statement.

static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255

DNS Doctoring Question

rsaeks — Fri, 09 Aug 2013 19:10:16 GMT

I added the dns statement to the NAT line (sorry about grabbing the old config without it in place) and still have the same issue. When I run a nslooklup or dig on host I still receive the public IP address.

DNS Doctoring Question

Marius Gunnerud — Fri, 09 Aug 2013 22:34:58 GMT

Hmmm, that is odd.

Well to get this working you could nat the from the guest interface to the inside interface...it is not DNS doctoring but it should also work.

static (guest_inet,inside) X.73 192.168.40.44 netmask 255.255.255.255

DNS Doctoring Question

turbo_engine26 — Sat, 10 Aug 2013 18:25:20 GMT

Hi,

I can't see the DNS inspection enabled in the "global_policy" policy map. You must activate DNS inspection prior configuring DNS doctoring. Please use the following:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

Regards,

DNS Doctoring Question

rsaeks — Thu, 15 Aug 2013 02:19:07 GMT

After some time on the phone with TAC we found the following:

Even through the DNS doctoring configuration was set, it was not being honored. We added the guest_inet subnet to the outside NAT pool:

nat (guest_inet) 1 10.2.1.0 255.255.255.0 outside

Created static NAT entries for each server using:

static (inside,guest_inet) PUBLIC_IP PRIVATE_IP netmask 255.255.255.255

Once that was done all was good.