Re: DNS rewrite and zone transfer

tgusset · ‎04-08-2005

Hi

I have a webserver www.aaa.bb insinde (IP p.p.p.11) and a DNS server also inside (IP p.p.p.10)

DNS A record for www.aaa.bb is p.p.p.11.

I use the DNS rewrite option for the static translation from p.p.p.11 to o.o.o.11

If I do nslookup outside, www.aaa.bb will be resolved as o.o.o.11 (as expected)

But there is a secondary DNS outside. If it does a zone transfer, A record for www.aaa.bb is p.p.p.11 (not o.o.o.11 as expected).

Does DNS rewrite not work on zone transfers? Is there a solution for this problem?

gfullage · ‎04-10-2005

DNS rewrite does NOT work on zone transfers, only on DNS replies.

I'm a little confused about who you're currently doing the rewriting for (internal or external users), sounds like your rewriting it for external users. What most people do is put the global address (o.o.o.11) into their DNS server, and remove any DNS rewriting for them, so outside users will be able to get to it fine no matter which DNS server they use.

If the DNS server is on the DMZ and the internal users are on an inside interface, then you can use destination-NAT'ing for them specifically. This means that when they do a DNS query for the DMZ web server, they'll get a o.o.o.11 (external) address. Their PC will then try and access that, and you can set up the PIX to change any packets that it receives on the inside int destined for o.o.o.11 to actually go to the DMZ at p.p.p.11. The command to do this is as follows:

static (dmz,inside) o.o.o.11 p.p.p.11 netmask 255.255.255.255

Note how the interfaces are swapped around from the normal static. This command says if you see a packet on the inside destined for o.o.o.11, send it to p.p.p.11 on the DMZ int instead. That should be what you need.