Presents …

CISCO ASA - DNS DOCTORING

DNS Doctoring

When the traffic comes from one source into ASA, makes a U-turn and goes back the same way it
came then it is referred to as U-turn traffic.

Visualize this and we see something that looks like a hairpin so this kind of traffic pattern is also
called Hairpinning.

The Cisco ASA firewall doesn’t like traffic that enters and exits the same interface and drops it.

We can allow the traffic entering and exiting same interface using command:

#same-security-traffic permit intra-interface

Now there is one scenario like we have a remote site that does not have an internal domain
name server to provide Domain Name System (DNS) resolution. So we are using an external DNS
server provided by an Internet Service Provider. The corporate Web site is statically translated via
NAT from a private IP address to a publicly reachable IP address on a Cisco ASA firewall.

And our requirement is like internal users need to access the corporate Web site, which is
located on an internal server.

But situation is like the internal users are not able to reach their corporate site and the packets
are dropped by the ASA.

The reason of the issue lies in how the ASA handles DNS resolution.

1) When the internal user attempts to access the corporate Web site, a DNS query is made for the IP
address of the corporate site. This request packet travels through the Cisco ASA, which then
rewrites the source address of the packet to its own IP address and forwards the request to the
external ISP DNS server.

2) The DNS server responds to the ASA query with the public IP address for the corporate Web site.
The ASA receives the response, then rewrites the destination address with the user's system IP,
and forwards the packet to the user system.

3) The user's system then attempts to open a HTTP session with the corporate Web site.

4) Since the IP address of the site has resolved to the public IP, the user's request packet travels
from the inside interface of the ASA, where the ASA builds a connection outbound, to the outside
interface. The packet is then dropped by the ASA as it does not allow the packet to return to the
inside interface.

This interface transversal is known as hair-pinning. By default, the ASA does not permit hair-
pinning.
One way to resolve this problem, involves the use of DNS Doctoring.

We can implement DNS Doctoring by changing one option of the static NAT translation
statement, we can tell the ASA to resolve the internal DNS lookup query to the internal WWW
server IP address instead of the public IP address.

The original ASA static NAT translation statement was:

static (inside,outside) 172.16.20.200 10.10.10.10 netmask 255.255.255.255

The revised static NAT translation statement with the DNS doctoring option enabled:

static (inside,outside) 172.16.20.200 10.10.10.10 netmask 255.255.255.255 dns

 After implementing the DNS doctoring the revised DNS process would be as below:

1) A DNS query is made for the IP address of the corporate Web site. This request packet travels
through the Cisco ASA, which then rewrites the source address of the packet to its own IP
address and forwards the request to the external ISP DNS server.

2) The DNS server responds to the ASA query with the public IP address for the corporate Web site.
The ASA receives the response, and then rewrites both the destination address with the user's
system IP, and the DNS query result to the internal WWW server IP address, before forwarding
the packet to the user system.

Note:

To work with DNS Doctoring, DNS inspection should be enabled.

 [email protected]

https://www.facebook.com/groups/inspectingfirewalls