DNS Rewrite performs two functions:
- Translating a public address (the routable or “mapped” address) in a DNS reply to a private address
(the “real” address) when the DNS client is on a private interface.
- Translating a private address to a public address when the DNS client is on the public interface
沒有DNS Rewrite的情況:
1:client 發起DNS查詢源地址:192.168.100.2,目的地址爲公網的DNS服務器209.165.200.10,負載部分:DNS請求www.example.com=?
2:到防火牆後有NAT或PAT轉換,源IP地址發生轉換,此時源ip地址爲公網地址209.165.200.5,目的地址爲公網的DNS服務器209.165.200.10,負載部分:DNS請求www.example.com=?
3:DNSserver 提供A記錄查詢,返回的包:源ip地址爲公網的DNS服務器209.165.200.10,目的地址爲公網地址209.165.200.5,負載部分:DNS響應www.example.com=209.165.200.5
4:到達防火牆後,根據PAT的轉換槽位,發生轉換源ip地址爲公網的DNS服務器209.165.200.10,目的地址爲私網地址192.168.100.1,負載部分:DNS響應www.example.com=209.165.200.5
這些都是正常的、沒有問題的,問題出在下面:
5:當client收到DNS的響應地址,此時發起向web server的TCP SYN
此時的源地址是192.168.100.2,目的地址爲web服務器209.165.200.5,到ASA會被拒絕:因爲ASA認爲這臺服務器在內部接口,而你確要去外網。
如果有了DNS Rewrite的情況,注意第四步的變化
4:到達防火牆後,根據PAT的轉換槽位,發生轉換源ip地址爲公網的DNS服務器209.165.200.10,目的地址爲私網地址192.168.100.1,負載部分:DNS響應www.example.com=192.168.100.1
同理:你的web server在DMZ也是同樣的情況
DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface
解決方法就是在現有的static (inside,outside)209.165.200.5 192.168.1.1 加一個DNS
這樣,DNS Rewrite 監控DNS相應數據包中的數據負載部分,從而改寫你的DNS響應A記錄.
關於DNS application inspection engine 的工作原理:
The ASA receives the DNS reply and submits it to the DNS application inspection engine.
4. The DNS application inspection engine does the following:
a. Searches for any NAT rule to undo the translation of the embedded A-record address
b. Uses the static rule to rewrite the A-record as follows because the dns option is included:
[outside]:209.165.200.5 --> [inside]:192.168.100.1
Note:If the dns option were not included with the nat command, DNS Rewrite would not be
performed and other processing for the packet continues.
c.Searches for any NAT to translate the web server address, [inside]:192.168.100.1, when
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step b would be reverted and other processing
for the packet continues