Re: ASA 8.3 DNS doctoring: DNS server in DMZ

Dima Dvorcovoy · ‎01-20-2014

Hello! I am the administrator of an University network.

We have (among other resuorces) two DNS servers, mail server and a spam-filtering server.

they are:

------------------------------------------------------------IP

server IP_address external IP

dns 10.149.254.39 217.21.43.3

www 10.149.254.35 217.21.43.2

smtp 10.149.254.2 217.21.43.223

mail 10.0.0.5 217.21.43.224

------------------------------------------------------------DNS

In DNS server, we have:

zone [bsu.by]

dns A 10.149.254.39

www A 10.149.254.35

smtp A 10.149.254.2

mail A 10.0.0.5

---

While on version 8.24, this works:

------------------------------------------------------------asa-824.cfg

names

name 10.149.254.2 xwall.bsu

name 10.149.254.35 www.bsu

name 10.149.254.39 dns1.bsu

name 10.0.0.5 mail.bsu

!

interface GigabitEthernet0/1

nameif INSIDE

security-level 100

ip address 10.149.8.252 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ-WEB

security-level 50

ip address 10.149.254.33 255.255.255.224

!

interface GigabitEthernet0/3

nameif OUTSIDE

security-level 0

ip address 217.21.43.130 255.255.255.128

!

interface Management0/0

nameif DMZ-MAIL

security-level 50

ip address 10.149.254.1 255.255.255.224

!

static (DMZ-WEB,OUTSIDE) 217.21.43.2 dns1.bsu netmask 255.255.255.255 dns

static (DMZ-MAIL,OUTSIDE) 217.21.43.224 xwall.bsu netmask 255.255.255.255 dns

static (INSIDE,OUTSIDE) 217.21.43.223 mail.bsu netmask 255.255.255.255 dns

static (DMZ-WEB,OUTSIDE) 217.21.43.3 www.bsu netmask 255.255.255.255 dns

------------------------------------------------------------LOG

>SSH far.aray.external.linux.server

login: *******

>nslookup

>>server 217.21.43.3

>>set type=A

>>www.bsu.by

217.21.43.2

------------------------------------------------------------ASA-847.cfg

But, on 8.47 this configuration FAILS:

object network mail.bsu

host 10.0.0.5

object network xwall

host 10.149.254.2

object network www.bsu

host 10.149.254.35

object network www.dns1

host 10.149.254.39

object network net.bsu-intranet

subnet 10.0.0.0 255.0.0.0

object network DMZ-net

subnet 10.149.254.0 255.255.255.0

object network net.bsu-intranet-1

subnet 10.0.0.0 255.0.0.0

object network net.bsu-intranet-2

subnet 10.0.0.0 255.0.0.0

object network mail.bsu.by

host 217.21.43.223

object network xwall.by

host 217.21.43.224

object network www.dns1.by

host 217.21.43.2

object network www.bsu.by

desc ***** corrupted for the test, have to be "3"

host 217.21.43.3

object network www.euniver.by

host 217.21.43.18

!

object network mail.bsu

nat (INSIDE,OUTSIDE) static mail.bsu.by dns

object network xwall

nat (DMZ-MAIL,OUTSIDE) static xwall.by dns

object network www.bsu

nat (DMZ-WEB,OUTSIDE) static www.bsu.by dns

object network www.euniver

nat (DMZ-WEB,OUTSIDE) static www.euniver.by dns

object network www.dns1

nat (DMZ-WEB,OUTSIDE) static www.dns1.by dns

!

object network net.bsu-intranet

nat (INSIDE,DMZ-WEB) static net.bsu-intranet

object network net.bsu-intranet-1

nat (INSIDE,DMZ-MAIL) static net.bsu-intranet

object network net.bsu-intranet-2

nat (INSIDE,OUTSIDE) dynamic 217.21.43.64

!

access-list ALLOW extended permit ip any any

access-group ALLOW in interface DMZ-WEB

access-group ALLOW in interface INSIDE

access-group ALLOW in interface OUTSIDE

access-group ALLOW in interface DMZ-MAIL

------------------------------------------------------------LOG

>SSH far.aray.external.linux.server

login: *******

>nslookup

>>server 217.21.43.3

>>set type=A

>>www.bsu.by

10.149.254.39

------------------------------------------------------------end

What to do??

How to debug DNS doctoring events (to see, for example: A record for www.xxx.com is translated from x.x.x.x to 10.y.y.y)?

Julio Carvajal · ‎01-23-2014

Hello,

From where did you perform the Nslookup?

object network mail.bsu

nat (INSIDE,OUTSIDE) static mail.bsu.by dns

This is the rule in place that we are dealing with.

For DNS Doctoring to work the ASA must be able to inspect the packet so DNS Query and Answer must go through the firewall.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎01-24-2014

From another's provider network (i.e. from a device connected to the OUTSIDE interface)

Because the DNS server is in DMZ-WEB, a DNS request passes the firewall.

Julio Carvajal · ‎01-24-2014

Hello,

So the DNS lookup is done from a device outside of your network. Got it.

I mean with DNS Doctoring enabled for this translation I would say this is what happens:

Outside Client sends DNS request for mail.bsu.by to your internal DNS server.
ASA Receives the packet on it's outside interface, sees a NAT translation to the DNS server on your DMZ
DNS Server A record will point to the public IP Address of the server 217.21.43.3
ASA Receives that DNS reply packet and because of the DNS inspection will translate it to the private IP address.

This because the DNS keyword will translate the Embedded DNS reply in the packet.

If you leave it without the DNS keyword it should work as the reply from the DNS server will be send straight forward to the client.

My recommendation is to disable it as the ASA will always eavesdrop into the DNS reply and change the A record as the NAT says.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎01-24-2014

Didn't you read this on top of my first message???

-----------------------------------------------------------DNS

In DNS server, we have:

zone [bsu.by]

dns A 10.149.254.39

www A 10.149.254.35

smtp A 10.149.254.2

mail A 10.0.0.5

>3. DNS Server A record will point to the public IP Address of the server 217.21.43.3

Absolutely wrong from this point.

No, my DNS derver A record contains the PRIVATE address of my servers. And on Outside interface, I want to see it's PUBLIC, EXTERNAL ADDRESS. On version 8.2 it worked. On 8.4 - no.

repeat:

There are a DNS server on DMZ-WEB interface. There are an A record xxx A 10.x.x.x on it. I want to see a record

xxx A 217.21.43.y on OUTSIDE interface.

Julio Carvajal · ‎01-24-2014

Now makes more sense!

Sorry man but I have to focus on a lot of things. Not jut on this discussion SORRY for the missunderstanding.

Can you share :

show run policy-map

show service-policy

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎01-24-2014

For version 8.2 -----

asa#show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 12528866, drop 169854, reset-drop 0

Inspect: ftp, packet 8835, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 533, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 103, drop 90, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 336, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 7992

Inspect: sqlnet, packet 121, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: skinny , packet 229, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 982

Inspect: sunrpc, packet 24, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip , packet 21662, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 96

Inspect: netbios, packet 14583, drop 0, reset-drop 0

Inspect: tftp, packet 15, drop 0, reset-drop 0

asa# show run policy-map

policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
policy-map pESMTP
!

For version 8.47:

!
 policy-map type inspect dns preset_dns_map  
 parameters
 message-length maximum 512
policy-map policy-conn-param-INSIDE
 class class-conn-param-tcp-01
 set connection per-client-max 10 per-client-embryonic-max 20 random-sequence-number disable
policy-map global_policy
 class inspection_default
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect sqlnet 
 inspect skinny 
 inspect sunrpc 
 inspect xdmcp 
 inspect sip 
 inspect netbios 
 inspect tftp 
 inspect ip-options 
 inspect dns 
policy-map pESMTP
!

Julio Carvajal · ‎01-24-2014

Hello,

Did you removed the deep packet inspection for DNS at any point?

Add:

policy-map global_policy

inspect dns dns preset_dns_map

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎01-24-2014

First:

inspect dns preset_dns_map

"dns dns" gives an error.

Second:

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map policy-conn-param-INSIDE

class class-conn-param-tcp-01

set connection per-client-max 10 per-client-embryonic-max 20 random-sequence-n

umber disable

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect dns preset_dns_map

policy-map pESMTP

!

asa# show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: skinny , packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip , packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: netbios, packet 21, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

Inspect: dns preset_dns_map, packet 84414, drop 1, reset-drop 0

Interface INSIDE:

Service-policy: policy-conn-param-INSIDE

Class-map: class-conn-param-tcp-01

Set connection policy: per-client-max 10 per-client-embryonic-max 20 random-sequence-number disable

current conns 0, drop 0

Third: no change ever. DNS not doctored.

Julio Carvajal · ‎01-24-2014

1 and 2 ) You got my point man!!!!!!

3) Any difference after adding the DNS L7 inspection??

If not well you are on the 8.3 track man. I would never ever recommend or use that entire track version to anyone with an ASA. "Bugs Everywhere"

Was like the "experimental" version after the big changes.

I am aware that on 8.4(4)1 this works perfect. Check the release notes of it and try to upgrade.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎01-27-2014

No differences. Do not works no matter what I include in my DNS inspection policy.

I am using 8.4(7). 8.3 references are only for the new syntax. I tried 9.03 too with exact same results.

Julio Carvajal · ‎01-27-2014

Hey,

What's the latest update on this?????

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dima Dvorcovoy · ‎02-05-2014

I found a PARTIAL solution.

If I wrote

object network xxx.bsu
 host 10.x.x.x 
 nat (any,any) static xxx.bsu.by (DNS keyword useless here)
object network xxx.by
 host 217.y.y.y
  nat (OUTSIDE,DMZ-WEB) static xxx.bsu dns

The DNS doctoring starts to work. But... It start to work ALWAYS. ANY DNS requests are translated to 217.y.y.y now

Does not matter, which interface is first: NAT (INSIDE,DMZ-WEB) even (DMZ-WEB,DMZ-WEB) works just as well.

I want to fix only requests from the OUTSIDE interface. The ones from INSIDE have to be non-doctored.

rocksfrow · ‎04-12-2014

Hey man,

Did you ever find a solution to this problem? I actually am stuck in the same scenario, but on 9.1.x. In 9.x the DNS doctoring is now rewriting PTR requests as well. This has caused big problems for me as external PTR lookups are getting rewritten to their local IP and breaking.

I am basically trying to do the same thing as you, except opposite. I want to rewrite all public to local for inside DNS lookups, and leave external lookups alone.

Please let me know if you have found how to make this type of behavior possible.