topic Re: DNS Server Redirects? in Network Security

DNS Server Redirects?

John Blakley — Mon, 11 Mar 2019 15:33:18 GMT

All,

I have about 100 servers in a DMZ. We did our 2nd phase firewall test this weekend, and I found out that all of the servers in the DMZ are set to look at the firewall's DMZ interface for DNS. The old firewall was a Symantec SGS that did DNS forwarding, so the client could set up their DNS settings to point to the firewall instead of an actual DNS server.

I also found out that there are several hundred people that have their proxy server set up in IE as the firewall's ip address and the port is 80. My questions are this:

a.) Is there any way to do a redirect in the ASA for any DNS requests coming in on the DMZ interface, to another server either inbound our outbound? Can I use nat for something like this?

b.) Is there ANY way to be able to configure the ASA to act as a proxy besides cut-through? I just want the request that comes in on port 80 to be allowed out, but I think the ASA is seeing this has web management port, and drops the traffic. (I'm probably wrong on that one.)

Thanks,

John

Re: DNS Server Redirects?

handsy — Mon, 18 May 2009 13:06:05 GMT

a) infact you must use NAT, e.g.

static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

The 'dns' keyword is the magic here 🙂

b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire

Re: DNS Server Redirects?

John Blakley — Mon, 18 May 2009 13:17:58 GMT

One problem that I see is that I can't assign a static to an address that's used on the interface.

DMZ1: 10.45.136.66/24

Inside: 10.50.50.54

DNS server on the inside: 10.50.50.251

Would my static look like:

static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns

Would this work, and would anything get screwed up by this?

John

Re: DNS Server Redirects?

handsy — Mon, 18 May 2009 13:33:57 GMT

So are the DMZ servers pointing at 10.50.50.251 for DNS, or is that the address you want them to get to?

Example:

DMZ servers currently pointing at 10.2.3.4

DMZ servers need to be using 10.50.50.251

static (inside, dmz1) 10.2.3.4 10.50.50.251 netmask 255.255.255.255 dns

This article may help you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hope I'm helping, and not hindering? 🙂

Re: DNS Server Redirects?

John Blakley — Mon, 18 May 2009 13:37:23 GMT

That's what I want them to get to, but the "server" that they are pointing to is the interface on the ASA.

So I'm thinking that it "could" be:

static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns

With the above static, will that hurt our normal DNS on this inside? It should only affect traffic coming in on the dmz1 interface, right?

John

Re: DNS Server Redirects?

handsy — Mon, 18 May 2009 13:41:14 GMT

Looks good, but personally I would want to test that out-of-hours before deploying.

Let us know how you get on 🙂

Re: DNS Server Redirects?

John Blakley — Mon, 18 May 2009 14:00:00 GMT

Dude....it works.... 🙂

I have a personal at the house that I can test things on. I VPN in from the office and remote into a box at the house. I set up the workstation to point to my ASA as the dns server. When I use the dns tag for doctoring, it says that ALL traffic will be redirected, so instead I did this (and it works too).

static (outside,inside) udp interface 53 4.2.2.1 53 netmask 255.255.255.255

That forwarded all of my traffic to 4.2.2.1, and I was able to get on the internet. That rocks 🙂

Thanks,

John

Re: DNS Server Redirects?

handsy — Mon, 18 May 2009 15:30:09 GMT

Awesome! Glad you got it working 🙂