I am looking to achieve the following -
Internal Client with Internal address but Public DNS server.
The default GW of Internal client is an ASA.
Is there a way for the ASA to "Intercept" the DNS lookup of a certain FQDN (e.g Guest.company.com) which is only resolvable via my internal dns servers and forward this request to one of these servers?
DNS doctoring seems to look at return IP addresses from public DNS servers and then do some magic based on that. I need to have the ASA recognise a FQDN within an initial DNS request and send that request to an Internal server.
you question is not clear. Could you please give an example with ip addresses and that would make it more clear. Like who is client(source), where is web server(public ip and real ip) and where is the dns server etc,
Scenario I would be using this - (ISE/CWA)
Client connects to Guest SSID
Client receives Public DNS Servers as part of its DHCP config.
As part of my ISE policy, client will ultimately receive a CWA URL which is only resolvable by my Internal DNS servers
Client will do a DNS lookup for that URL which will be sent to the clients Public DNS servers (this traffic will traverse the ASA as it is the clients GW)
I want the ASA to be able to intercept this DNS request before it goes outside and to direct it to my Internal DNS.
I know there I can use IP in the CWA redirect but this is something I prefer not to do. I would like to achieve the above if possible.
Well, we can do that but it would not be conditional. It will redirect all the requests going to external dns server to internal dns server. We will have to create a static NAT something like:
nat (inside,inside) source dynamic any interface destination static obj-184.108.40.206 obj-220.127.116.11
where obj-18.104.22.168 is the internal dns server ip address
obj-22.214.171.124 is the external dns server ip address
we are creating this dummy nat entry so that when traffic comes to inside interface for 126.96.36.199(external dns server), the source gets translated to inside interface and destination gets unNATED to 188.8.131.52(internal dns server. The reason for PATing the source address is to ensure that reply packet comes to ASA and there is no asymetric routing. Since this is UDP traffic, I believe it should work without the source NAT as well but try it with source first if there is no issue.
**try to add this NAT at line 1. We would want to make sure that this takes preference.
also, add below command to allow u-turn:
same-security-traffic permit intra-interface
If you have SourceFire module on your ASA firewall you can use an option called Sinkhole and achieve this.
i solved this issue in this way :
My CWA url is somethng like firstname.lastname@example.org so i asked my isp to publish this DNS record to a public ip address, obviously from my own public addresses, let's say this address is 184.108.40.206. So guest users obtaining public DNS servers are now resolving email@example.com with ip 220.127.116.11 but Guest page is not really published so is not reachable from outside, and is is somwething we want to do!
Then i configured DNS doctoring as per this link :
and all is fine!
You can also use public ip addresses not directly connected to your ASA firewall.
Hope this helps,