01-20-2014 06:05 AM - edited 03-11-2019 08:32 PM
Hello! I am the administrator of an University network.
We have (among other resuorces) two DNS servers, mail server and a spam-filtering server.
they are:
------------------------------------------------------------IP
server IP_address external IP
dns 10.149.254.39 217.21.43.3
www 10.149.254.35 217.21.43.2
smtp 10.149.254.2 217.21.43.223
mail 10.0.0.5 217.21.43.224
------------------------------------------------------------DNS
In DNS server, we have:
zone [bsu.by]
dns A 10.149.254.39
www A 10.149.254.35
smtp A 10.149.254.2
mail A 10.0.0.5
---
While on version 8.24, this works:
------------------------------------------------------------asa-824.cfg
names
name 10.149.254.2 xwall.bsu
name 10.149.254.35 www.bsu
name 10.149.254.39 dns1.bsu
name 10.0.0.5 mail.bsu
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.149.8.252 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ-WEB
security-level 50
ip address 10.149.254.33 255.255.255.224
!
interface GigabitEthernet0/3
nameif OUTSIDE
security-level 0
ip address 217.21.43.130 255.255.255.128
!
interface Management0/0
nameif DMZ-MAIL
security-level 50
ip address 10.149.254.1 255.255.255.224
!
static (DMZ-WEB,OUTSIDE) 217.21.43.2 dns1.bsu netmask 255.255.255.255 dns
static (DMZ-MAIL,OUTSIDE) 217.21.43.224 xwall.bsu netmask 255.255.255.255 dns
static (INSIDE,OUTSIDE) 217.21.43.223 mail.bsu netmask 255.255.255.255 dns
static (DMZ-WEB,OUTSIDE) 217.21.43.3 www.bsu netmask 255.255.255.255 dns
------------------------------------------------------------LOG
>SSH far.aray.external.linux.server
login: *******
>nslookup
>>server 217.21.43.3
>>set type=A
217.21.43.2
------------------------------------------------------------ASA-847.cfg
But, on 8.47 this configuration FAILS:
object network mail.bsu
host 10.0.0.5
object network xwall
host 10.149.254.2
object network www.bsu
host 10.149.254.35
object network www.dns1
host 10.149.254.39
object network net.bsu-intranet
subnet 10.0.0.0 255.0.0.0
object network DMZ-net
subnet 10.149.254.0 255.255.255.0
object network net.bsu-intranet-1
subnet 10.0.0.0 255.0.0.0
object network net.bsu-intranet-2
subnet 10.0.0.0 255.0.0.0
object network mail.bsu.by
host 217.21.43.223
object network xwall.by
host 217.21.43.224
object network www.dns1.by
host 217.21.43.2
object network www.bsu.by
desc ***** corrupted for the test, have to be "3"
host 217.21.43.3
object network www.euniver.by
host 217.21.43.18
!
object network mail.bsu
nat (INSIDE,OUTSIDE) static mail.bsu.by dns
object network xwall
nat (DMZ-MAIL,OUTSIDE) static xwall.by dns
object network www.bsu
nat (DMZ-WEB,OUTSIDE) static www.bsu.by dns
object network www.euniver
nat (DMZ-WEB,OUTSIDE) static www.euniver.by dns
object network www.dns1
nat (DMZ-WEB,OUTSIDE) static www.dns1.by dns
!
object network net.bsu-intranet
nat (INSIDE,DMZ-WEB) static net.bsu-intranet
object network net.bsu-intranet-1
nat (INSIDE,DMZ-MAIL) static net.bsu-intranet
object network net.bsu-intranet-2
nat (INSIDE,OUTSIDE) dynamic 217.21.43.64
!
access-list ALLOW extended permit ip any any
access-group ALLOW in interface DMZ-WEB
access-group ALLOW in interface INSIDE
access-group ALLOW in interface OUTSIDE
access-group ALLOW in interface DMZ-MAIL
------------------------------------------------------------LOG
>SSH far.aray.external.linux.server
login: *******
>nslookup
>>server 217.21.43.3
>>set type=A
10.149.254.39
------------------------------------------------------------end
What to do??
How to debug DNS doctoring events (to see, for example: A record for www.xxx.com is translated from x.x.x.x to 10.y.y.y)?
01-23-2014 08:38 PM
Hello,
From where did you perform the Nslookup?
object network mail.bsu
nat (INSIDE,OUTSIDE) static mail.bsu.by dns
This is the rule in place that we are dealing with.
For DNS Doctoring to work the ASA must be able to inspect the packet so DNS Query and Answer must go through the firewall.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-24-2014 02:30 AM
From another's provider network (i.e. from a device connected to the OUTSIDE interface)
Because the DNS server is in DMZ-WEB, a DNS request passes the firewall.
01-24-2014 04:53 AM
Hello,
So the DNS lookup is done from a device outside of your network. Got it.
I mean with DNS Doctoring enabled for this translation I would say this is what happens:
This because the DNS keyword will translate the Embedded DNS reply in the packet.
If you leave it without the DNS keyword it should work as the reply from the DNS server will be send straight forward to the client.
My recommendation is to disable it as the ASA will always eavesdrop into the DNS reply and change the A record as the NAT says.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-24-2014 08:48 AM
Didn't you read this on top of my first message???
-----------------------------------------------------------DNS
In DNS server, we have:
zone [bsu.by]
dns A 10.149.254.39
www A 10.149.254.35
smtp A 10.149.254.2
mail A 10.0.0.5
>3. DNS Server A record will point to the public IP Address of the server 217.21.43.3
Absolutely wrong from this point.
No, my DNS derver A record contains the PRIVATE address of my servers. And on Outside interface, I want to see it's PUBLIC, EXTERNAL ADDRESS. On version 8.2 it worked. On 8.4 - no.
repeat:
There are a DNS server on DMZ-WEB interface. There are an A record xxx A 10.x.x.x on it. I want to see a record
xxx A 217.21.43.y on OUTSIDE interface.
01-24-2014 09:00 AM
Now makes more sense!
Sorry man but I have to focus on a lot of things. Not jut on this discussion SORRY for the missunderstanding.
Can you share :
show run policy-map
show service-policy
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-24-2014 09:41 AM
For version 8.2 -----
asa#show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 12528866, drop 169854, reset-drop 0
Inspect: ftp, packet 8835, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 533, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 103, drop 90, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 336, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 7992
Inspect: sqlnet, packet 121, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 229, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 982
Inspect: sunrpc, packet 24, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 21662, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 96
Inspect: netbios, packet 14583, drop 0, reset-drop 0
Inspect: tftp, packet 15, drop 0, reset-drop 0
asa# show run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map pESMTP
!
For version 8.47:
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map policy-conn-param-INSIDE
class class-conn-param-tcp-01
set connection per-client-max 10 per-client-embryonic-max 20 random-sequence-number disable
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns
policy-map pESMTP
!
01-24-2014 10:17 AM
Hello,
Did you removed the deep packet inspection for DNS at any point?
Add:
policy-map global_policy
inspect dns dns preset_dns_map
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-24-2014 11:22 AM
First:
inspect dns preset_dns_map
"dns dns" gives an error.
Second:
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map policy-conn-param-INSIDE
class class-conn-param-tcp-01
set connection per-client-max 10 per-client-embryonic-max 20 random-sequence-n
umber disable
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
policy-map pESMTP
!
asa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 21, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: dns preset_dns_map, packet 84414, drop 1, reset-drop 0
Interface INSIDE:
Service-policy: policy-conn-param-INSIDE
Class-map: class-conn-param-tcp-01
Set connection policy: per-client-max 10 per-client-embryonic-max 20 random-sequence-number disable
current conns 0, drop 0
Third: no change ever. DNS not doctored.
01-24-2014 01:40 PM
1 and 2 ) You got my point man!!!!!!
3) Any difference after adding the DNS L7 inspection??
If not well you are on the 8.3 track man. I would never ever recommend or use that entire track version to anyone with an ASA. "Bugs Everywhere"
Was like the "experimental" version after the big changes.
I am aware that on 8.4(4)1 this works perfect. Check the release notes of it and try to upgrade.
Regards
01-27-2014 11:17 PM
No differences. Do not works no matter what I include in my DNS inspection policy.
I am using 8.4(7). 8.3 references are only for the new syntax. I tried 9.03 too with exact same results.
01-27-2014 05:00 PM
Hey,
What's the latest update on this?????
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-05-2014 06:19 AM
I found a PARTIAL solution.
If I wrote
object network xxx.bsu
host 10.x.x.xnat (any,any) static xxx.bsu.by (DNS keyword useless here)
object network xxx.by
host 217.y.y.y
nat (OUTSIDE,DMZ-WEB) static xxx.bsu dns
The DNS doctoring starts to work. But... It start to work ALWAYS. ANY DNS requests are translated to 217.y.y.y now
Does not matter, which interface is first: NAT (INSIDE,DMZ-WEB) even (DMZ-WEB,DMZ-WEB) works just as well.
I want to fix only requests from the OUTSIDE interface. The ones from INSIDE have to be non-doctored.
04-12-2014 07:49 AM
Hey man,
Did you ever find a solution to this problem? I actually am stuck in the same scenario, but on 9.1.x. In 9.x the DNS doctoring is now rewriting PTR requests as well. This has caused big problems for me as external PTR lookups are getting rewritten to their local IP and breaking.
I am basically trying to do the same thing as you, except opposite. I want to rewrite all public to local for inside DNS lookups, and leave external lookups alone.
Please let me know if you have found how to make this type of behavior possible.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: