DNS Reply Modification (doctoring) intermittently failing

Discussion in 'Cisco' started by Dav0, Jan 27, 2005.

  1. Dav0

    Dav0 Guest

    We have the following configuration that requires DNS reply
    modification:
    1) Cisco FWSM at version 2.3.1.3
    2) Firewall directly connected to our ISP.
    3) A DMZ (webDMZ) containing the web servers to be doctored
    4) Hosts and internal DNS server on the Inside
    5) ISP dns server

    The internal clients (4) resolve the web server addresses (3) through
    the internal DNS server (4) which pulls the DNS data from the external
    DNS server (5).

    The FWSM (1) is configured to do the DNS reply modification to provide
    the internal clients (4) with the private webDMZ address.

    Outside clients obtain the public NATd addresses of the webDMZ through
    the ISP dns server (5).

    Here's what we're experiencing:

    The internal DNS servers (4) correctly resolve the public web server
    addresses (3) through the external DNS server (5).

    The FWSM (1) intermittently fails to do the DNS reply modification (DNS
    doctoring) and provides the public addresses for the webDMZ servers, as
    opposed to correctly providing the doctored/modified private address.

    During a DNS reply modification failure, a dns debug trace on the FWSM
    shows the following:

    NAT:: skipping DNS rewrite


    Now the good stuff:

    The failure is intermittent and will flip flop from correct to
    incorrect and may go back to correct or may stay incorrect. Sometimes
    the failure stays for a matter of only a few seconds, and sometimes the
    failure lasts for hours.

    Clearing the local xlate for the private webdmz addresses seems to
    resolve the problem for an unspecified period of time.

    At this point, we do not know what causes the failure.

    Lastly, the problem does not affect all servers in the webDMZ. DNS
    doctoring/reply modification did not fail on the unaffected servers
    even when placed under load tests.

    We have been seeing the failures by running nslookups of one of the web
    servers (on the webDMZ) from the inside clients (4) and specifying the
    ISP dns server (5). A failure is apparent with the public address is
    returned instead of the private address.

    Anyone experience anything similar, have any recommendations or
    suggestions?

    Thanks for your help.
     
    Dav0, Jan 27, 2005
    #1
    1. Advertisements

  2. Dav0

    Rod Dorman Guest

    My recommendation is to disable the DNS 'fixup' kludge and go with
    split DNS either with separate inside/outside servers or with BIND
    views.
     
    Rod Dorman, Jan 28, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.