cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1775
Views
0
Helpful
25
Replies

DNS Doctoring for PIX 6.3(4)

doliver
Level 1
Level 1

Can some one please tell me the best way to do 'DNS Doctoring' for internal cleints to reach an Internal DNS server without using the 'alias' command. Thanks for your assistance.

Dean

25 Replies 25

laje
Level 1
Level 1

To my understanding, this can be accomplished with the use of "dns" in your static command statement referencing the DNS server i.e assuming a two pronge firewall

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 dns 0 0

Where x.x.x.x is the global ip and y.y.y.y it local ip

Read thru this, it should shed more light

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Cheers

Just wanted to give a thanks to everyone here in this topic. I have been wondering how to do this myself for quite some time. Work out great for me.

scoclayton
Level 7
Level 7

I am confused...what is it exactly you want the internal clients to do? Why would you internal clients need "DNS doctoring" to access a DNS server on the same network? I am sure I am missing something here, just not sure what it is.

Scott

Scott,

Sorry for the confusion, I was in a hurry and didn't expalin well. I need internal clients, when they make a request to a server (say a web server) via external FQDN (www.domain.com), where the server is physically on the inside and translated to the outside, I want them to be able to resolve via the internal address instead of trying to resolve the externally translated address. I currently have it working with the 'alias' command, but my boss is whining because the PDM does not support the 'alias' command. I hope this clarifies somewhat.

Thanks,

Dean

Where is the DNS server that the internal clients are using in this scenerio? Is it outside the PIX? In other words, do the DNS replies from the DNS server to the internal clients pass through the PIX?

Scott

One can use the Alias command to Doctor DNS Replys, or to redirect one ip request to another IP. See the following article for more details.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

As a side note, using the alias command will disable your ability to use the PDM (Pix Device Manager) for all purposes, except monitoring. (If your a CLI person, you probably don't care)

Scott,

Yes, www.domain.com is resolved via external DNS.

OK, cool. I just wanted to be sure. The alias command (which has been well documented by myself and others on this forum) has 2 purposes, 1) DNS Doctoring, and 2) Desitnation NAT. A decision was made in the last few years to try and kill off the alias command (6.3 is the last version that will support it). But, we needed a new way to accomplish the same purposes that the alias command gave us.

6.2 introduced to the concept of bi-directional NAT. This feature allowed us to configure a static command to perform destination NAT (as opposed to source NAT as it's commmonly used). The most common use of this feature is to NAT a global destination address from an internal host to local address for a host on the DMZ. I can explain this more if need be...but it really doesn't matter for this post.

In your case, you need to accomplish DNS Doctoring without the use of the alias command. The very first post in reponse to your original question was dead on. You need to upgrade to at least 6.2 code (I believe that is correct) and add the 'dns' keyword to the static command that you want to be "doctored". The 'dns' keyword simply tells the PIX to modify the payload in the DNS reply packet so that the internal user gets the local address rather than the global address. Check the first post in this thread for more information on this.

Hope this helps.

Scott

Scott,

Thanks for the info. Very informative. As a side note. I have one further question. If I am using PAT utilizing the outside interface address and I am using port redirection using the one translated IP, does that preclude from using the 'static' command for DNS doctoring? The reason that I ask is that I set it up in a lab under that situation (we only have one public IP in the lab) and I was getting address overlap errors after issuing the 'static' commands for DNS doctoring. If I removed the existing static entries everything worked fine. Our production enviornment is not this way, but this is more for my edification.

Dean

Good question and one that comes up rather often. Bottom line (for now) is that the 'dns' option is *not* supported on port redirected statics. The reason for this is because the PIX has no idea which port static the DNS reply is targetted towards. Make sense?

Scott

That's what i figured. Thanks Scott.

Dean

Scott, I am currently using aliasing for the global destination from an inside port and would like to discuss further how this is being used, or perhaps a pointer to some information on the bi-directional NAT. If we could discuss that here, or perhaps take it to another post? Thanks...

Bring it on...here is fine or another post. Doesn't make much difference to me. I should see them both.

Scott

Basicly, I'm currently using Aliasing to Redirect Traffic comming from the inside network and going to the "Outside" network (Static's built from Outside to a DMZ) and redirecting them to the DMZ System's true IP address. Because the Static is between the DMZ and the Outside, I don't understand how DNS doctoring could affect traffic coming from the inside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: