Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
5
Replies

dns doctoring? dns rewrite https redirect

ino
Level 1
Level 1

‎04-08-2022 10:36 AM

i have a c1111 Cisco IOS XE Software, Version 16.09.06 (and a 2960x)

can i some how catch and rewrite a httpS request 

along the line 

facabook.com (123.45.67.89) --> mydomain.com (172.16.0.123)

 

my target is to catch advert sites and show a gift instead of the ad 

i am pretty sure i can catch it and DROP the packet some how with NBAR (at least for http not sure for https)

but i would prefer to redirect it to my web server

more or less a dns rewrite sort of thing 

i dont want to use the router as a dns server because i am running a separate one on one of my servers

and creating a zone for each site i want to catch on the dns server would be a to big mess

i know i could use the "host" file but if the router could do it some how i would prefer that

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎04-08-2022 05:14 PM

simple is what DNS you are using, if you have your own DNS, punch DNS hole with DNS Entry for fabook.com to your server IP ? is this what are you looking for?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ino
Level 1
Level 1
In response to balaji.bandi

‎04-08-2022 05:55 PM

i am using windows server as dns

but i would prefer to use the router

my router is running for over a half year now what would be fare over a year if there wouldnt have been a power outage of half a day what my ups couldnt cower

during this time i have reinstalled windows server 5-6 times i would like to keep dns setup on it to a minimum maybe even move it completely to the router unfortunately i cant set up wildcard domains (needed to block the ads) on it else way job would be done

 

i dug a bit around it seems to me that with some nbar - policy-map - nat trickery it should be possible

my concerns are currently that i would need to nat from an inside to an inside interface the blocked side that is

and also nat as normal inside outside to reach nonblocked sides

in addition there is already a policy-map on the outside interface for traffic shaping not sure if i can combine the 2

but shaping isnt prevalent in the moment so i could renounce it if i need to

 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ino

‎04-09-2022 01:53 AM 

but i would prefer to use the router

So are you using DNS as your router for now, you like to configure in Router - is this correct?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ino
Level 1
Level 1
In response to balaji.bandi

‎04-09-2022 12:22 PM

i just setup the router as dns server for my work computer others are still using my main server as the dns server 

but lets go with that i use the router as dns

unfortunately you cant set wildcard domains in the router and ads coming from addresses like dfhuheri.ad.com wee.ad.com wwwe.ad.com ....

so i need to catch them with nbar by "*.ads.com" and some how nat it to 10.0.0.1 instead of the real ip 

0 Helpful

ino
Level 1
Level 1

‎04-10-2022 08:53 PM

this here blocks the side 

ip nbar custom test ssl unique-name "*test.com*" id 1

class-map match-all test
match protocol test

policy-map test
class test
police cir 8000 bc 1000 be 1000 conform-action drop exceed-action drop violate-action drop

next step would be to nat redirect it instead of dropping it

 

0 Helpful
Customers Also Viewed These Support Documents