DNS Rewrite

DNS Rewrite performs two functions: 

  • Translating a public address (the routable or “mapped” address) in a DNS reply to a private address

(the “real” address) when the DNS client is on a private interface.

  • Translating a private address to a public address when the DNS client is on the public interface

image

没有DNS Rewrite的情况:

1:client 发起DNS查询源地址:192.168.100.2,目的地址为公网的DNS服务器209.165.200.10,负载部分:DNS请求www.example.com=?

2:到防火墙后有NAT或PAT转换,源IP地址发生转换,此时源ip地址为公网地址209.165.200.5,目的地址为公网的DNS服务器209.165.200.10,负载部分:DNS请求www.example.com=?

3:DNSserver 提供A记录查询,返回的包:源ip地址为公网的DNS服务器209.165.200.10,目的地址为公网地址209.165.200.5,负载部分:DNS响应www.example.com=209.165.200.5

4:到达防火墙后,根据PAT的转换槽位,发生转换源ip地址为公网的DNS服务器209.165.200.10,目的地址为私网地址192.168.100.1,负载部分:DNS响应www.example.com=209.165.200.5

这些都是正常的、没有问题的,问题出在下面:

5:当client收到DNS的响应地址,此时发起向web server的TCP SYN

此时的源地址是192.168.100.2,目的地址为web服务器209.165.200.5,到ASA会被拒绝:因为ASA认为这台服务器在内部接口,而你确要去外网。

如果有了DNS Rewrite的情况,注意第四步的变化

4:到达防火墙后,根据PAT的转换槽位,发生转换源ip地址为公网的DNS服务器209.165.200.10,目的地址为私网地址192.168.100.1,负载部分:DNS响应www.example.com=192.168.100.1

同理:你的web server在DMZ也是同样的情况

DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface

解决方法就是在现有的static (inside,outside)209.165.200.5 192.168.1.1 加一个DNS

这样,DNS Rewrite 监控DNS相应数据包中的数据负载部分,从而改写你的DNS响应A记录.

关于DNS application inspection engine 的工作原理:

The ASA receives the DNS reply and submits it to the DNS application inspection engine.
4. The DNS application inspection engine does the following:
a. Searches for any NAT rule to undo the translation of the embedded A-record address
b. Uses the static rule to rewrite the A-record as follows because the dns option is included:
[outside]:209.165.200.5 --> [inside]:192.168.100.1

Note:If the dns option were not included with the nat command, DNS Rewrite would not be
performed and other processing for the packet continues.

c.Searches for any NAT to translate the web server address, [inside]:192.168.100.1, when
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step b would be reverted and other processing
for the packet continues

你可能感兴趣的:(职场,rewrite,dns,休闲,asa)