Cisco ASA 5505 Configuration Manual page 787

Chapter 37 Configuring Inspection of Basic Internet Protocols
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages
originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the
A-record is not translated.
As long as DNS inspection remains enabled, you can configure DNS rewrite using a NAT rule.
DNS Rewrite performs two functions:
•
•
In Figure
(192.168.100.1) has been mapped using the static command to the ISP-assigned address
(209.165.200.5). When a web client on the inside interface attempts to access the web server with the
URL http://server.example.com, the host running the web client sends a DNS request to the DNS server
to resolve the IP address of the web server. The adaptive security appliance translates the non-routable
source address in the IP header and forwards the request to the ISP network on its outside interface.
When the DNS reply is returned, the adaptive security appliance applies address translation not only to
the destination address, but also to the embedded IP address of the web server, which is contained in the
A-record in the DNS reply. As a result, the web client on the inside network gets the correct address for
connecting to the web server on the inside network.
Figure 37-1
server.example.com
http://server.example.com
DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface.
Configuring DNS Rewrite
You configure DNS rewrite using the NAT configuration.
Figure 37-2
transparently with a DNS server with minimal configuration.
OL-20339-01
Translating a public address (the routable or "mapped" address) in a DNS reply to a private address
(the "real" address) when the DNS client is on a private interface.
Translating a private address to a public address when the DNS client is on the public interface.
37-1, the DNS server resides on the external (ISP) network The real address of the server
Translating the Address in a DNS Reply (DNS Rewrite)
Web server
192.168.100.1
192.168.100.1IN A 209.165.200.5
Web client
192.168.100.2
provides a more complex scenario to illustrate how DNS inspection allows NAT to operate
DNS server
server.example.com IN A 209.165.200.5
ISP Internet
Security appliance
Cisco ASA 5500 Series Configuration Guide using ASDM
DNS Inspection
37-3