DNS Rewrite performs two functions: 

  • Translating a public address (the routable or “mapped” address) in a DNS reply to a private address

(the “real” address) when the DNS client is on a private interface.

  • Translating a private address to a public address when the DNS client is on the public interface

DNS Rewrite_第1张图片

没有DNS Rewrite的情况:

1:client 发起DNS查询源地址:,目的地址为公网的DNS服务器209.165.200.10,负载部分:DNS请求www.example.com=?


3:DNSserver 提供A记录查询,返回的包:源ip地址为公网的DNS服务器209.165.200.10,目的地址为公网地址209.165.200.5,负载部分:DNS响应www.example.com=



5:当client收到DNS的响应地址,此时发起向web server的TCP SYN


如果有了DNS Rewrite的情况,注意第四步的变化


同理:你的web server在DMZ也是同样的情况

DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface

解决方法就是在现有的static (inside,outside) 加一个DNS

这样,DNS Rewrite 监控DNS相应数据包中的数据负载部分,从而改写你的DNS响应A记录.

关于DNS application inspection engine 的工作原理:

The ASA receives the DNS reply and submits it to the DNS application inspection engine.
4. The DNS application inspection engine does the following:
a. Searches for any NAT rule to undo the translation of the embedded A-record address
b. Uses the static rule to rewrite the A-record as follows because the dns option is included:
[outside]: --> [inside]:

Note:If the dns option were not included with the nat command, DNS Rewrite would not be
performed and other processing for the packet continues.

c.Searches for any NAT to translate the web server address, [inside]:, when
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step b would be reverted and other processing
for the packet continues