11-08-2004 07:55 AM - edited 02-20-2020 11:44 PM
Can some one please tell me the best way to do 'DNS Doctoring' for internal cleints to reach an Internal DNS server without using the 'alias' command. Thanks for your assistance.
Dean
11-08-2004 09:23 AM
To my understanding, this can be accomplished with the use of "dns" in your static command statement referencing the DNS server i.e assuming a two pronge firewall
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 dns 0 0
Where x.x.x.x is the global ip and y.y.y.y it local ip
Read thru this, it should shed more light
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
Cheers
12-31-2004 01:01 PM
Just wanted to give a thanks to everyone here in this topic. I have been wondering how to do this myself for quite some time. Work out great for me.
11-08-2004 07:39 PM
I am confused...what is it exactly you want the internal clients to do? Why would you internal clients need "DNS doctoring" to access a DNS server on the same network? I am sure I am missing something here, just not sure what it is.
Scott
11-09-2004 07:13 AM
Scott,
Sorry for the confusion, I was in a hurry and didn't expalin well. I need internal clients, when they make a request to a server (say a web server) via external FQDN (www.domain.com), where the server is physically on the inside and translated to the outside, I want them to be able to resolve via the internal address instead of trying to resolve the externally translated address. I currently have it working with the 'alias' command, but my boss is whining because the PDM does not support the 'alias' command. I hope this clarifies somewhat.
Thanks,
Dean
11-09-2004 07:43 AM
Where is the DNS server that the internal clients are using in this scenerio? Is it outside the PIX? In other words, do the DNS replies from the DNS server to the internal clients pass through the PIX?
Scott
11-09-2004 08:45 AM
One can use the Alias command to Doctor DNS Replys, or to redirect one ip request to another IP. See the following article for more details.
As a side note, using the alias command will disable your ability to use the PDM (Pix Device Manager) for all purposes, except monitoring. (If your a CLI person, you probably don't care)
11-09-2004 10:48 AM
Scott,
Yes, www.domain.com is resolved via external DNS.
11-09-2004 06:02 PM
OK, cool. I just wanted to be sure. The alias command (which has been well documented by myself and others on this forum) has 2 purposes, 1) DNS Doctoring, and 2) Desitnation NAT. A decision was made in the last few years to try and kill off the alias command (6.3 is the last version that will support it). But, we needed a new way to accomplish the same purposes that the alias command gave us.
6.2 introduced to the concept of bi-directional NAT. This feature allowed us to configure a static command to perform destination NAT (as opposed to source NAT as it's commmonly used). The most common use of this feature is to NAT a global destination address from an internal host to local address for a host on the DMZ. I can explain this more if need be...but it really doesn't matter for this post.
In your case, you need to accomplish DNS Doctoring without the use of the alias command. The very first post in reponse to your original question was dead on. You need to upgrade to at least 6.2 code (I believe that is correct) and add the 'dns' keyword to the static command that you want to be "doctored". The 'dns' keyword simply tells the PIX to modify the payload in the DNS reply packet so that the internal user gets the local address rather than the global address. Check the first post in this thread for more information on this.
Hope this helps.
Scott
11-09-2004 07:20 PM
Scott,
Thanks for the info. Very informative. As a side note. I have one further question. If I am using PAT utilizing the outside interface address and I am using port redirection using the one translated IP, does that preclude from using the 'static' command for DNS doctoring? The reason that I ask is that I set it up in a lab under that situation (we only have one public IP in the lab) and I was getting address overlap errors after issuing the 'static' commands for DNS doctoring. If I removed the existing static entries everything worked fine. Our production enviornment is not this way, but this is more for my edification.
Dean
11-09-2004 08:06 PM
Good question and one that comes up rather often. Bottom line (for now) is that the 'dns' option is *not* supported on port redirected statics. The reason for this is because the PIX has no idea which port static the DNS reply is targetted towards. Make sense?
Scott
11-09-2004 08:21 PM
That's what i figured. Thanks Scott.
Dean
11-11-2004 02:46 PM
Scott, I am currently using aliasing for the global destination from an inside port and would like to discuss further how this is being used, or perhaps a pointer to some information on the bi-directional NAT. If we could discuss that here, or perhaps take it to another post? Thanks...
11-12-2004 09:15 AM
Bring it on...here is fine or another post. Doesn't make much difference to me. I should see them both.
Scott
12-22-2004 11:37 AM
Basicly, I'm currently using Aliasing to Redirect Traffic comming from the inside network and going to the "Outside" network (Static's built from Outside to a DMZ) and redirecting them to the DMZ System's true IP address. Because the Static is between the DMZ and the Outside, I don't understand how DNS doctoring could affect traffic coming from the inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide