DNS rewrite for dmz host to inside

lcaruso · ‎05-31-2013

Hi,

I'm trying to confirm the requirements for dns rewrite to work from the inside to a dmz host. The dmz host has a public ip and a private ip of course and has the following object nat

object network foo

host 10.10.10.10

nat (dmz1,outside) static a.b.c.d dns

public ip a.b.c.d is entered in the local dns server and resolves on the inside.

Are there any other requirements for this to work from the inside when they use the domain name for a.b.c.d ?

Thanks.

Julio Carvajal · ‎05-31-2013

Hello Lcaruso,

I'm trying to confirm the requirements for dns rewrite to work from the inside to a dmz host.

The DNS Query and the record provided must traverse the ASA, that's the requirement. The ASA must see the DNS query and response

The configuration is the one you have already so that's good.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcaruso · ‎05-31-2013

Thanks for your reply.

So if the client machine on the inside is talking to a dns server on the inside and the domain name used by the client resolves to a public ip address, that doesn't meet the requirements?

It's not working althought I thought I'd seen this scenario work elsewhere.

Julio Carvajal · ‎05-31-2013

Then the ASA will not be able to modify the A-record,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JohnTylerPearce · ‎05-31-2013

If the DNS server is on the inside, then the DNS query will not traverse the ASA.

Sent from Cisco Technical Support Android App

JohnTylerPearce · ‎05-31-2013

You will have to either change your DNS record to a private address or configure hair pinning.

Sent from Cisco Technical Support Android App