Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > DNS Reply Modification (doctoring) intermittently failing

Reply
Thread Tools

DNS Reply Modification (doctoring) intermittently failing

 
 
Dav0
Guest
Posts: n/a
 
      01-27-2005
We have the following configuration that requires DNS reply
modification:
1) Cisco FWSM at version 2.3.1.3
2) Firewall directly connected to our ISP.
3) A DMZ (webDMZ) containing the web servers to be doctored
4) Hosts and internal DNS server on the Inside
5) ISP dns server

The internal clients (4) resolve the web server addresses (3) through
the internal DNS server (4) which pulls the DNS data from the external
DNS server (5).

The FWSM (1) is configured to do the DNS reply modification to provide
the internal clients (4) with the private webDMZ address.

Outside clients obtain the public NATd addresses of the webDMZ through
the ISP dns server (5).

Here's what we're experiencing:

The internal DNS servers (4) correctly resolve the public web server
addresses (3) through the external DNS server (5).

The FWSM (1) intermittently fails to do the DNS reply modification (DNS
doctoring) and provides the public addresses for the webDMZ servers, as
opposed to correctly providing the doctored/modified private address.

During a DNS reply modification failure, a dns debug trace on the FWSM
shows the following:

NAT:: skipping DNS rewrite


Now the good stuff:

The failure is intermittent and will flip flop from correct to
incorrect and may go back to correct or may stay incorrect. Sometimes
the failure stays for a matter of only a few seconds, and sometimes the
failure lasts for hours.

Clearing the local xlate for the private webdmz addresses seems to
resolve the problem for an unspecified period of time.

At this point, we do not know what causes the failure.

Lastly, the problem does not affect all servers in the webDMZ. DNS
doctoring/reply modification did not fail on the unaffected servers
even when placed under load tests.

We have been seeing the failures by running nslookups of one of the web
servers (on the webDMZ) from the inside clients (4) and specifying the
ISP dns server (5). A failure is apparent with the public address is
returned instead of the private address.

Anyone experience anything similar, have any recommendations or
suggestions?

Thanks for your help.

 
Reply With Quote
 
 
 
 
Rod Dorman
Guest
Posts: n/a
 
      01-28-2005
In article <(E-Mail Removed) .com>,
Dav0 <(E-Mail Removed)> wrote:
>We have the following configuration that requires DNS reply
>modification:
>1) Cisco FWSM at version 2.3.1.3
>2) Firewall directly connected to our ISP.
>3) A DMZ (webDMZ) containing the web servers to be doctored
>4) Hosts and internal DNS server on the Inside
>5) ISP dns server
>
> ... tale of woe snipped ...
>
>Anyone experience anything similar, have any recommendations or
>suggestions?


My recommendation is to disable the DNS 'fixup' kludge and go with
split DNS either with separate inside/outside servers or with BIND
views.

--
-- Rod --
rodd(at)polylogics(dot)com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS Reply Modification tman Cisco 2 06-26-2008 09:12 PM
Reply....Reply All not in Browser Denny B Computer Support 3 04-24-2006 01:59 PM
can sombody tell me how to reply to sombody elses message and include the original message in the reply? Computer Support 3 08-24-2003 12:58 PM
Re: can sombody tell me how to reply to sombody elses message and include the original message in the reply? Computer Support 0 07-24-2003 09:21 PM



Advertisments