DNS Reply Modification (doctoring) intermittently failing

Discussion in 'Cisco' started by Dav0, Jan 27, 2005.

  1. Dav0

    Dav0 Guest

    We have the following configuration that requires DNS reply
    modification:
    1) Cisco FWSM at version 2.3.1.3
    2) Firewall directly connected to our ISP.
    3) A DMZ (webDMZ) containing the web servers to be doctored
    4) Hosts and internal DNS server on the Inside
    5) ISP dns server

    The internal clients (4) resolve the web server addresses (3) through
    the internal DNS server (4) which pulls the DNS data from the external
    DNS server (5).

    The FWSM (1) is configured to do the DNS reply modification to provide
    the internal clients (4) with the private webDMZ address.

    Outside clients obtain the public NATd addresses of the webDMZ through
    the ISP dns server (5).

    Here's what we're experiencing:

    The internal DNS servers (4) correctly resolve the public web server
    addresses (3) through the external DNS server (5).

    The FWSM (1) intermittently fails to do the DNS reply modification (DNS
    doctoring) and provides the public addresses for the webDMZ servers, as
    opposed to correctly providing the doctored/modified private address.

    During a DNS reply modification failure, a dns debug trace on the FWSM
    shows the following:

    NAT:: skipping DNS rewrite


    Now the good stuff:

    The failure is intermittent and will flip flop from correct to
    incorrect and may go back to correct or may stay incorrect. Sometimes
    the failure stays for a matter of only a few seconds, and sometimes the
    failure lasts for hours.

    Clearing the local xlate for the private webdmz addresses seems to
    resolve the problem for an unspecified period of time.

    At this point, we do not know what causes the failure.

    Lastly, the problem does not affect all servers in the webDMZ. DNS
    doctoring/reply modification did not fail on the unaffected servers
    even when placed under load tests.

    We have been seeing the failures by running nslookups of one of the web
    servers (on the webDMZ) from the inside clients (4) and specifying the
    ISP dns server (5). A failure is apparent with the public address is
    returned instead of the private address.

    Anyone experience anything similar, have any recommendations or
    suggestions?

    Thanks for your help.
    Dav0, Jan 27, 2005
    #1
    1. Advertising

  2. Dav0

    Rod Dorman Guest

    In article <>,
    Dav0 <> wrote:
    >We have the following configuration that requires DNS reply
    >modification:
    >1) Cisco FWSM at version 2.3.1.3
    >2) Firewall directly connected to our ISP.
    >3) A DMZ (webDMZ) containing the web servers to be doctored
    >4) Hosts and internal DNS server on the Inside
    >5) ISP dns server
    >
    > ... tale of woe snipped ...
    >
    >Anyone experience anything similar, have any recommendations or
    >suggestions?


    My recommendation is to disable the DNS 'fixup' kludge and go with
    split DNS either with separate inside/outside servers or with BIND
    views.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
    Rod Dorman, Jan 28, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain

    DNS Doctoring conversion?

    Rik Bain, Nov 10, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,402
    Walter Roberson
    Nov 10, 2003
  2. Cool Guy Bri

    DNS Doctoring with a cisco router

    Cool Guy Bri, Nov 25, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,580
    Cool Guy Bri
    Nov 26, 2003
  3. Chris

    DNS Doctoring

    Chris, Dec 19, 2003, in forum: Cisco
    Replies:
    2
    Views:
    776
    Chris
    Dec 19, 2003
  4. grzybek

    DNS doctoring

    grzybek, Feb 10, 2004, in forum: Cisco
    Replies:
    0
    Views:
    535
    grzybek
    Feb 10, 2004
  5. tman

    DNS Reply Modification

    tman, Jun 25, 2008, in forum: Cisco
    Replies:
    2
    Views:
    906
    Morph
    Jun 26, 2008
Loading...

Share This Page