https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442738#M637828 <HTML><HEAD></HEAD><BODY><P>Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?</P><P></P><TABLE border="1"><TBODY><TR><TH>Before</TH><TH>ASA 8.3<BR /></TH></TR><TR><TD><STRONG> DNS rewrite </STRONG><P>static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns</P></TD><TD><PRE> object network obj-192.168.100.10<BR />&nbsp;&nbsp; host 192.168.100.10<BR />&nbsp;&nbsp; nat (inside,outside) static 172.20.1.10 dns<BR /></PRE></TD></TR></TBODY></TABLE><P></P><P>-KS</P></BODY></HTML> Mon, 09 Aug 2010 15:22:48 GMT Kureli Sankar 2010-08-09T15:22:48Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442737#M637827 <P>Does anyone know if DNS doctoring is supported in the newer 8.3 code?&nbsp; It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.</P><P></P><P>nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_21.21.24.24 dns</P><P></P><P>thank you,</P><P></P><P>Bill</P> Mon, 11 Mar 2019 18:22:44 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442737#M637827 WILLIAM STEGMAN 2019-03-11T18:22:44Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442738#M637828 <HTML><HEAD></HEAD><BODY><P>Yes. Here is a sample. Have you enabled dns inspection and does the dns traffic go through this ASA?</P><P></P><TABLE border="1"><TBODY><TR><TH>Before</TH><TH>ASA 8.3<BR /></TH></TR><TR><TD><STRONG> DNS rewrite </STRONG><P>static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns</P></TD><TD><PRE> object network obj-192.168.100.10<BR />&nbsp;&nbsp; host 192.168.100.10<BR />&nbsp;&nbsp; nat (inside,outside) static 172.20.1.10 dns<BR /></PRE></TD></TR></TBODY></TABLE><P></P><P>-KS</P></BODY></HTML> Mon, 09 Aug 2010 15:22:48 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442738#M637828 Kureli Sankar 2010-08-09T15:22:48Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442739#M637829 <HTML><HEAD></HEAD><BODY><P>I have DNS inspection occurring at the global policy, and the traffic should be running across the ASA.&nbsp; I changed the dns keyword to include it in object nat, but no change.</P><P></P><P>object network COMM-USWEB_192.168.10.18<BR /> nat (inside,outside) static 21.21.24.24 dns</P><P></P><P>object network COMM-USAIGWEB_192.168.10.18 <BR /> host 192.168.10.18</P></BODY></HTML> Mon, 09 Aug 2010 15:43:33 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442739#M637829 WILLIAM STEGMAN 2010-08-09T15:43:33Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442740#M637830 <HTML><HEAD></HEAD><BODY><P>Make sure the dns traffic is going through this ASA.</P><P>cap capin int inside match udp ho 192.168.10.18 any eq 53</P><P>cap capout interface outside match udp ho 21.21.24.24 any eq 53</P><P></P><P>sh cap capin</P><P>sh cap capout</P><P></P><P>-KS</P></BODY></HTML> Mon, 09 Aug 2010 16:44:13 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442740#M637830 Kureli Sankar 2010-08-09T16:44:13Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442741#M637831 <HTML><HEAD></HEAD><BODY><P>it looks like the traffic is not crossing the asa.&nbsp; I don't understand that though.&nbsp; I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry.&nbsp; So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix.&nbsp; Why wouldn't the DNS traffic be crossing the ASA?&nbsp; My access list on the inside interface allows both tcp and udp dns.</P></BODY></HTML> Mon, 09 Aug 2010 17:22:24 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442741#M637831 WILLIAM STEGMAN 2010-08-09T17:22:24Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442742#M637832 <HTML><HEAD></HEAD><BODY><P>I found the acl that was blocking it, on a router between the host and firewall, made a change and it's working now.&nbsp; Thank you very much.</P></BODY></HTML> Mon, 09 Aug 2010 17:38:19 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442742#M637832 WILLIAM STEGMAN 2010-08-09T17:38:19Z https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442743#M637834 <HTML><HEAD></HEAD><BODY><P>Very glad to hear.&nbsp; Capture for the win - yet again !</P><P></P><P>I shoud have given capture syntax for all other dns resoltuion. My bad.</P><P></P><P>cap capin int inside match udp any any eq 53</P><P></P><P>cap capout int outside match udp any any eq 53</P><P></P><P>sh cap capin</P><P>sh cap capout</P><P></P><P></P><P>-KS</P></BODY></HTML> Mon, 09 Aug 2010 17:57:37 GMT https://community.cisco.com/t5/network-security/dns-doctoring/m-p/1442743#M637834 Kureli Sankar 2010-08-09T17:57:37Z