topic DNS Rewrite on PIX in Network Security

DNS Rewrite on PIX

scot.hartman — Fri, 21 Feb 2020 07:30:47 GMT

Using static to NAT a private IP to public and have dns rewrite enabled.

static (dmz1,outside) 66.x.x.211 10.18.62.11 dns netmask 255.255.255.255 0 0

This 66.x.x.211 address is the address returned for www.customerX.com

This seems to be working OK for A-record resolution. When a box on the 10 net tries to resolve www.customerX.com, 66.x.x.211 is returned but is then rewritten to 10.18.62.11 and sent to the client.

I have two questions:

1. This customer swears he was able to do a reverse lookup to 10.18.62.11 and get back a response of www.customerX.com. Is this the case or is he mistaken? I'm seeing the 11.62.18.16.in-addr.arpa leave the outside interface and so want to know if it was supposed to rewrite this packet to 211.x.x.66.in-addr.arpa and just isn't.

2. Another possibility is that he may have recently switched to using an internal DNS server on another dmz (192.168.3.199) which doesn't fall under the above static command. If so I have a new problem that this dmz has a higher security level than the 10 net interface. If I need to, how do I do dns rewrite between these two dmzs?

Thanks for the help.

Re: DNS Rewrite on PIX

nkhawaja — Fri, 16 Jul 2004 23:13:30 GMT

Hi,

Where is your DNS SERVER? I think it is on DMZ, hence it should have an A record for the private IP ADDRESS of that server. Could you double check that? just make sure what his server has and what server he is using

Thanks

Nadeem

Re: DNS Rewrite on PIX

scot.hartman — Mon, 19 Jul 2004 14:01:20 GMT

He was origionally using a DNS server out on the Internet. I understand that if he's using an internal DNS server, he really "should" just be using split DNS. That isn't really the question. When he was resolving off the external DNS server, the requests for the http://www.customerX.com came back with the 66 net address but the PIX injected the 10 net address into the reply. I'm asking if, during a reverse lookup, if the PIX is supposed to inject the 66 net address before it sends it out to the DNS server?

Thanks for any insights,

Scot

Re: DNS Rewrite on PIX

nkhawaja — Mon, 19 Jul 2004 16:08:28 GMT

Hi,

DNS server on the outside makes the life easy. I think the rules for DNS rewrite are same for forward or reverse lookup.

Thanks

Nadeem

Re: DNS Rewrite on PIX

scot.hartman — Mon, 19 Jul 2004 17:14:34 GMT

Thanks for the response.

OK, so to clarify. I have this...

static (dmz1,outside) 66.x.x.211 10.18.62.11 dns netmask 255.255.255.255 0 0

The world sees www.customerX.com as 66.x.x.211.

Internally, that server is actually NAT'd per the line above to IP 10.18.62.11 on the inside.

So,

A box that is on the 10.18.62.x network sends a request for www.customerX.com. We, of course, want it to hit 10.18.62.11 instead of the 66.x.x.211 IP, so I am seeing this:

client: Sends DNS request www.customerX.com

PIX: Doesn't change this request (fine)

DNS server: Recieves DNS request for www.customerX.com

DNS server: Replies with 66.x.x.211

PIX: Because of dns rewrite, changes this reply to 10.18.62.11 (good)

Client: Recieves 10.18.62.11 and connects to this internal address instead of 66.

Good, works fine. But for reverse lookups I see:

client: Sends reverse-DNS request for 11.62.18.10.in-addr.arpa

PIX: Doesn't change this request. Shouldn't it change it to 211.x.x.216.in-addr.arpa?

DNS server: Recieves DNS request for 11.62.18.10.in-addr.arpa which it will, of course, NOT respond to with www.customerX.com since the 10net is RFC 1918.

Should the PIX grab that reverse for 10.18.62.11 and substitute with the 66.x.x.211 IP before sending it to the DNS server?

If so, why is it working for the forward lookup but not for the reverse? Is there an additional setting or possibly a problem with a cache, xlate, etc. of some kind within the PIX.

Thanks,

Scot

Re: DNS Rewrite on PIX

scot.hartman — Tue, 24 Aug 2004 20:21:41 GMT

Does anyone know if the PIX perform substitution for reverse lookups or just for forward lookups?

My rather lengthy information is in the previous posts. I'd really appreciate any help on this.

Thanks,

Scot