All Cisco-Network Study Notes: Domain Name Service

Domain Name Service

The capital assignment of appliance analysis for DNS (known as DNS Guard) is to

impose specific restrictions on DNS requests over UDP that canyon through the

firewall (compared with the all-encompassing processing of all UDP communications).

Roughly speaking, the abstracts allotment of anniversary DNS appeal contains a consecutive number

(ID) and the anatomy of the request. For example, requests for “A-records” (address

records) accommodate the DNS name for which an IP abode is sought.The acknowledgment to

this appeal should accommodate the aforementioned ID and an IP address.

DNS Guard ensures the following:

Alone replies with the actual ID are accepted.

Alone one acknowledgment is accepted. In the case of assorted replies, all but the

first one are ignored.

The UDP affiliation associated with the DNS affiliation is destroyed

as anon as a DNS acknowledgment is received, not afterwards the UDP abeyance has

expired.

IP addresses in A-record replies are translated if necessary.This action is

controlled by the alias command. It additionally translates addresses to be consistent

with NAT statements, including alfresco NAT, which was introduced

in adaptation 6.2. Generally, the alias command is not needed

because of this alfresco NAT feature.

As an archetype for the aftermost case, accede the agreement in which a client

(192.168.0.1) and a Web server (web.company.com, IP abode 192.168.0.5) are

located on the central interface of PIX and accept nonroutable addresses.A DNS

server is on the outside.The PIX is configured to construe both the applicant and

the server addresses via PAT to a distinct IP of 1.2.3.4.This abode is recorded on

the DNS server as an abode for web.company.com.When a applicant requests an

IP abode (an A-record) for the server, the PIX assiduously the appeal to the

DNS server, advice the antecedent IP.When it receives the DNS server’s reply,

it not alone translates the packet’s destination IP abode (changing 1.2.3.4 to

www.syngress.com

Advanced PIX Configurations • Chapter 4 147

192.168.0.1), but it additionally changes the abode of the Web server independent in the

reply’s abstracts acreage (that is, 1.2.3.4 independent in the acknowledgment is afflicted to 192.168.0.5).

As a result, the centralized applicant will use the centralized abode 192.168.0.5 of the Web

server to anon affix to it. Figure 4.5 illustrates how the DNS appeal and

reply canyon through the PIX.

When the DNS server is on a added defended interface than the Web server

and/or client, either alfresco NAT (preferred in adaptation 6.2) or alias commands

are used. Alfresco NAT is actual agnate to the antecedent situation. Before version

6.2, you bare to use the alias command alias internal_server_address

external_server_address in adjustment to action A-record replies appropriately in this case.

NOTE

When appliance alias commands for DNS fixups, you charge to about-face off

proxy ARP on the centralized interface, appliance the sysopt noproxyarp

inside_interface command. It is additionally accessible to about-face off processing of

DNS replies for addresses declared in the alias commands by appliance the

sysopt nodnsalias command.

www.syngress.com

Figure 4.5 The DNS Guard Operation

Client

DNS

web.company.com server

192.168.0.1

192.168.0.5

192.168.0.1 10.3.4.5

"IP of web.company.com?"

src addr dst addr

data

1.2.3.4 10.3.4.5

"IP of web.company.com?"

src addr dst addr

data

10.3.4.5 1.2.3.4

"IP is 1.2.3.4"

src addr dst addr

data

10.3.4.5 192.168.0.1

"IP is 192.168.0.5"

src addr dst addr

data

10.3.4.5

The applicant does a lookup

for web.company.com

The PIX performs NAT.

The DNS server replies according to its Arecord

'web.company.com IN A 1.2.3.4'.

The PIX performs NAT and

modifies the capacity of the

reply.

148 Chapter 4 • Advanced PIX Configurations

It is not accessible to attenuate appliance analysis of DNS or change the

DNS anchorage from the absence of 53.