---

@hadbou wrote:

When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface.If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated.

 

Refer the following url which explains the configuration of DNS Rewrite in detail:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/inspect.html#wp1335922

---

The link unfortunately does not work.  I have the same problem/question.  We know DNS rewrite works for DNS queries, but can it work for whole zone transfers?  I just started using a cloud DNS service, with my internal DNS servers as the primary where the cloud DNS receives the zone data from.  Since they're internal, they have internal IPs in them, and the ASA translates them to the public IPs when people outside our intranet query our DNS servers.  But I just had two whole domains go down, because I didn't notice that, when the zone transfer was performed, the IPs didn't get translated.  So when we kicked over to the cloud DNS for DNS on those domains, everything went dead.  Is there a way to get actual zone transfers translated, or do we need to keep whole separate copies of our DNS zones for the outside again, essentially undoing the benefits of the DNS rewriting the ASA does?  From the documentation at https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_basic.html#wp1335632 it seems to indicate it's done for A records, but doesn't mention zone transfers, so that's why we're wondering.

I do not think this is possible with the DNS rewrite function.  Since the zone transfer is copying zone data to another DNS and it is not an actual DNS request, it is not likely that the ASA will see this traffic as a DNS lookup and rewrite each entry accordingly.  I am afraid that if you do a zone transfer you will overwrite the public IPs you have on the outside DNS server.  I unfortunately have no way of testing this at the moment, so to me it seems (based on logic) that you cannot use DNS rewrite for what you are trying to do.  You will need two seperate copies of your DNS entries, one on the internal DNS and a seperate one on the outside DNS.

Yes, that’s the impression I have, as well, but I definitely wanted to check with someone with more-senior ASA knowledge than myself, just in case. 😊 Since offloading DNS to cloud providers (while using internal servers as the master servers that feed them) is becoming more common now, I’m hoping they consider adding this functionality, as a lot of us have avoided maintaining separate internal and external copies of our DNS zones, thanks to the DNS rewrite functionality thus far. It’s a shame to think I’ll need to now create and maintain two separate copies of all of these DNS zones we have, now. 🙁