Hello,

We are creating a new infrastructure in our DC.

It involves Border, Firewall, Core, Lan Access... AND DNS solution.

So, to reduce the complexity and by security questions, I created a simulated Scenario that express my doubt.

The ideas in here are:

• Avoid double NAT on stations accessing internal servers
• Distribute the DNS entries on their own DNS-Server-Costumer.
• Simplify the managing of our Authoritative DNS-Servers, not needing to filter the source of the request to define the reply.

So, to the practice!

Please follow the my logic on the attached drawing.

First - Internal Stations reaching internal servers using internal DNS

Very Simple! ASA does Nothing!

1. Lets say station 192.168.10.65 need to access www.costumer-a.com.
2. The station is configured to consult internal DNS(192.168.10.10).
3. The Internal DNS reply with 192.168.10.20.
4. Station talks directly to Server
5. And every thing is blue...

P.S.: This works also to customer b.

Second - External Client(Internet) reaching internal servers(by NAT)

Here comes my doubts.

1. Lets say an internet station 200.201.202.203 need to access www.costumer-a.com.
2. It will make a DNS consult by www.costumer-a.com to the DNS that is configured over there.
3. DNS World Hierarchy will deliver this consult to aour DNS server(172.30.100.10)
4. Our DNS will make a consult of "www.costumer-a.com" to 172.30.10.10
5. This consult will reach the internal DNS-Server(192.168.10.10)
6. The Internal DNS reply with 192.168.10.20 to our DNS-Server
7. When this reply passes across ASA, it will Re-Write the answer to Nated IP 172.30.10.20
   • Will it??? Even been the inverse of the usual?
     
   • And if the communication between our DNS-Server and our Costumer DNS-Server, instead of been a simple consult it occurs as a DNS TCP? Will ASA rewrite this answer?
   • If the consult that Internet Station made were "system.costumer-a.com", considering that it doesn't has a Static NAT(It goes out by a overload NAT), What will Happen?
     
8. Our DNS-server will receive this answer and will reply it to the original consult
9. The Internet station will receive the DNS Reply with public IP of the server.
10. The Internet station will connect to the public IP, that will be Nated.
11. And every thing is blue...

Third - Internal Client, misconfigured, using external DNS(8.8.8.8 for example)

Almost as the second situation, but will occours two ReWrites.

1. Lets say the station 192.168.10.75 need to access www.costumer-a.com.
2. It will make a DNS consult by www.costumer-a.com to the DNS that is forced, 8.8.8.8(google)
3. DNS World Hierarchy will deliver this consult to aour DNS server(172.30.100.10)
4. Our DNS will make a consult of "www.costumer-a.com" to 172.30.10.10
5. This consult will reach the internal DNS-Server(192.168.10.10)
6. The Internal DNS reply with 192.168.10.20 to our DNS-Server
7. When this reply passes across ASA, it will Re-Write the answer to Nated IP 172.30.10.20
   • This is the First ReWrite
8. Our DNS-server will receive this answer and will reply it to 8.8.8.8
9. Google DNS-Server will receive it and reply 172.30.10.20 to the internal station.
10. When this reply passes acros ASA(again), it will Re-Write the answer to Nated IP 192.168.10.20
    • This is the Second ReWrite
11. The internal station will receive the DNS Reply with internal IP address of the server.
12. The internal station will talk directly to the server.
13. And every thing is blue...

Will this really happend or there is some more issues that We are not considering?