How Dns Rewrite Works - Cisco FirePOWER ASA 5500 series Configuration Manual

DNS Inspection
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, if you enter the
show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.

How DNS Rewrite Works

When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages
originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the
A-record is not translated.
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or
nat commands. For details about the configuration required see the
on page
DNS Rewrite performs two functions:
•
•
In Figure
(192.168.100.1) has been mapped using the static command to the ISP-assigned address
(209.165.200.5). When a web client on the inside interface attempts to access the web server with the
URL http://server.example.com, the host running the web client sends a DNS request to the DNS server
to resolve the IP address of the web server. The security appliance translates the non-routable source
address in the IP header and forwards the request to the ISP network on its outside interface. When the
DNS reply is returned, the security appliance applies address translation not only to the destination
address, but also to the embedded IP address of the web server, which is contained in the A-record in the
DNS reply. As a result, the web client on the inside network gets the correct address for connecting to
the web server on the inside network. For configuration instructions for scenarios similar to this one, see
the
Cisco Security Appliance Command Line Configuration Guide
25-14
Verifies the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
Checks to see if a compression pointer loop exists.
25-15.
Translating a public address (the routable or "mapped" address) in a DNS reply to a private address
(the "real" address) when the DNS client is on a private interface.
Translating a private address to a public address when the DNS client is on the public interface.
25-1, the DNS server resides on the external (ISP) network The real address of the server
"Configuring DNS Rewrite with Two NAT Zones" section on page
Chapter 25 Configuring Application Layer Protocol Inspection
"Configuring DNS Rewrite" section
25-16.
OL-10088-01