First off, what is DNS rewrite? When an internal host makes a query to an external DNS server about an internal resource the IP address returned will be external (see image) . In other words the host making the query is on the same network as the webserver which is Cisco.com. When the user queries a DNS server, for instance Verizon's DNS at 4.2.2.1, the answer returned will be a public IP. If you look at the static DNS mapping, within the ASA's configuration you will see that the public IP is mapped to an internal IP. Well, DNS rewrite monitors DNS traffic, and if a DNS reply contains an IP address that is used in a static statement it will alter the DNS reply to point to the inernal IP( again see image). Therefore, the client connects to the internal resource by it's actual IP address (not the static NAT). Where is the mystery then? Well I have configurd this many times, it's straight foreward, but it doesn't always work.
It turns out that if you are using static PAT, so a single IP address on the outside, doing port forward to different servers on the inside, DNS rewrite simply does not work, it's documented here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#req
If you have individual IP's for each server it works fine.
This has eluded me for years but became clear today :)
Posts
No comments:
Post a Comment