Asa dns nat

Quick question, can an ASA rewrite DNS lookups? If not then I'm pretty confused.

When using a google DNS server if I lookup domain.com outside of my ASA it returns the proper global address. However, if I do the lookup on the inside of my ASA against the same DNS server it returns my internal IP address.

Has anyone seen anything like this?

Find more posts tagged with

Comments

ConstantlyLearning

burbankmarc wrote: »

Quick question, can an ASA rewrite DNS lookups? If not then I'm pretty confused.

When using a google DNS server if I lookup domain.com outside of my ASA it returns the proper global address. However, if I do the lookup on the inside of my ASA against the same DNS server it returns my internal IP address.

Has anyone seen anything like this?

Nope, what happens if you try connecting to a public web page from the inside? Does the connection complete, does the page load?

I know it has the 'DNS doctoring' funtionality but that's a bit differant to this.

burbankmarc

Everything else works fine. This isn't a huge deal I'm just really confused as to why resolution against the same server returns different results. I don't even use much NATing on my ASA, since it's not the edge device.

Example:

djones@djones-desktop:~$ host mydomain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

mydomain.com has address 192.168.26.34
mydomain.com mail is handled by 10 mail.mydomain.com.
djones@djones-desktop:~$ host mydomain.com ns1.mydomain.com
Using domain server:
Name: ns1.mydomain.internal
Address: x.x.x.40#53
Aliases: 

mydomain.com has address x.x.x.34
mydomain.com mail is handled by 10 mail.mydomain.com.

So google returns my internal address, but if I use my DNS server on my DMZ it returns the proper external address.

Here's what happens when I run the same test agains google on a machine outside of my network.

[djones@sufmail djones]$ host mydomain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

mydomain.com has address x.x.x.34
mydomain.com mail is handled by 10 mail.mydomain.com.

Like I said this really isn't hurting anything, I'd just like to know what the cause of this is.

Ahriakin

It is rewriting the DNS replies. As long as the Static for the host you are trying to get to exists on that ASA, and your path to the DNS server passes through it then it will rewrite the IP to the Mapped value if the DNS keyword was added to the Static xlation statement (and DNS inspection is still enabled in your global-policy, which it is by default).

If you want to verify run a capture from inside the ASA itself for DNS to google, set it for the OUTSIDE, INSIDE and DMZ interfaces and compare the results. You should see the public IP in the reply to the request from the INSIDE on your OUTSIDE capture, but the private IP returned on the INSIDE version of the same cap.

burbankmarc

That's pretty interesting. I figured it would rewrite the headers all day long, but I never thought that the DNS inpsection would rewrite the data portion of the packet.

ConstantlyLearning

Wait, was the domain you were doing the lookup for, an internal domain?

burbankmarc

No, it's a public domain