DNS Doctoring conversion?

Discussion in 'Cisco' started by Rik Bain, Nov 10, 2003.

  1. Rik Bain

    Rik Bain Guest


    remove the alias and add the dns keyword to your existing static.

    for example:

    static (inside,outside) 209.x.x.35 10.y.y.249 dns netmask 255.255.255.255

    will replace any A record responses from the outside that contain
    209.x.x.35 with 10.y.y.249 when the request is made from the inside.

    It is important to note that 6.3.1 would doctor the responses whether
    they cross the interfaces specified in the static, whereas 6.3.3 behaves
    as designed (only doctoring packets that cross the interfaces specified
    in the static).
     
    Rik Bain, Nov 10, 2003
    #1
    1. Advertisements

  2. Rik Bain

    Dave Clark Guest

    Currently, we are using the ALIAS command for DNS doctoring to access
    private IP resources inside the network that are also accessed from
    outside the network:

    alias (inside) 10.y.y.249 209.x.x.35 255.255.255.255

    I know that Cisco has said that they are only maintaining this command
    for backward compatability and recommend going to the STATIC entry.
    But, I am confused by this entry on how to properly implement. Any
    insight would help on the proper structure to continue being able to
    provide DNS doctoring access from the inside of the network.

    I am running a PIX 515 6.3(3)
     
    Dave Clark, Nov 10, 2003
    #2
    1. Advertisements

  3. :Currently, we are using the ALIAS command for DNS doctoring to access
    :private IP resources inside the network that are also accessed from
    :eek:utside the network:

    :alias (inside) 10.y.y.249 209.x.x.35 255.255.255.255

    :I know that Cisco has said that they are only maintaining this command
    :for backward compatability and recommend going to the STATIC entry.
    :But, I am confused by this entry on how to properly implement. Any
    :insight would help on the proper structure to continue being able to
    :provide DNS doctoring access from the inside of the network.

    :I am running a PIX 515 6.3(3)

    I am not overly familiar with the 'alias' command. I notice that
    you have it applied against the inside interface, so as well as any
    dns doctoring, it has the effect of rewriting some outgoing IPs.
    That being the case, it appears to me the closest equivilent is
    "outside NAT"

    static (outside, inside) 10.y.y.249 209.x.x.35 netmask 255.255.255.255 dns

    Note here that the usual interface order for 'static' is reversed.


    The 'dns' parameter is not well documented. The documentation for
    'alias' indicates that the DNS re-writing will be done (effect #3) when
    the DNS server is anywhere behind the lower-security interface. The
    documentation for the 'dns' parameter of 'static' implies that the
    dns re-writing will only be done if the DNS servier is -at- the IP address
    listed in the 'static' command. I'll see if I can get that clarified.
     
    Walter Roberson, Nov 10, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.