Asa dns nat

burbankmarcburbankmarc Member Posts: 460
Quick question, can an ASA rewrite DNS lookups? If not then I'm pretty confused.

When using a google DNS server if I lookup domain.com outside of my ASA it returns the proper global address. However, if I do the lookup on the inside of my ASA against the same DNS server it returns my internal IP address.

Has anyone seen anything like this?

Comments

  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Quick question, can an ASA rewrite DNS lookups? If not then I'm pretty confused.

    When using a google DNS server if I lookup domain.com outside of my ASA it returns the proper global address. However, if I do the lookup on the inside of my ASA against the same DNS server it returns my internal IP address.

    Has anyone seen anything like this?

    Nope, what happens if you try connecting to a public web page from the inside? Does the connection complete, does the page load?

    I know it has the 'DNS doctoring' funtionality but that's a bit differant to this.
    "There are 3 types of people in this world, those who can count and those who can't"
  • burbankmarcburbankmarc Member Posts: 460
    Everything else works fine. This isn't a huge deal I'm just really confused as to why resolution against the same server returns different results. I don't even use much NATing on my ASA, since it's not the edge device.

    Example:
    [email protected]:~$ host mydomain.com 8.8.8.8
    Using domain server:
    Name: 8.8.8.8
    Address: 8.8.8.8#53
    Aliases: 
    
    mydomain.com has address 192.168.26.34
    mydomain.com mail is handled by 10 mail.mydomain.com.
    [email protected]:~$ host mydomain.com ns1.mydomain.com
    Using domain server:
    Name: ns1.mydomain.internal
    Address: x.x.x.40#53
    Aliases: 
    
    mydomain.com has address x.x.x.34
    mydomain.com mail is handled by 10 mail.mydomain.com.
    

    So google returns my internal address, but if I use my DNS server on my DMZ it returns the proper external address.

    Here's what happens when I run the same test agains google on a machine outside of my network.
    [[email protected] djones]$ host mydomain.com 8.8.8.8
    Using domain server:
    Name: 8.8.8.8
    Address: 8.8.8.8#53
    Aliases: 
    
    mydomain.com has address x.x.x.34
    mydomain.com mail is handled by 10 mail.mydomain.com.
    
    

    Like I said this really isn't hurting anything, I'd just like to know what the cause of this is.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    It is rewriting the DNS replies. As long as the Static for the host you are trying to get to exists on that ASA, and your path to the DNS server passes through it then it will rewrite the IP to the Mapped value if the DNS keyword was added to the Static xlation statement (and DNS inspection is still enabled in your global-policy, which it is by default).

    If you want to verify run a capture from inside the ASA itself for DNS to google, set it for the OUTSIDE, INSIDE and DMZ interfaces and compare the results. You should see the public IP in the reply to the request from the INSIDE on your OUTSIDE capture, but the private IP returned on the INSIDE version of the same cap.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • burbankmarcburbankmarc Member Posts: 460
    That's pretty interesting. I figured it would rewrite the headers all day long, but I never thought that the DNS inpsection would rewrite the data portion of the packet.
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Wait, was the domain you were doing the lookup for, an internal domain?
    "There are 3 types of people in this world, those who can count and those who can't"
  • burbankmarcburbankmarc Member Posts: 460
    No, it's a public domain
Sign In or Register to comment.