Aug 13, 2010

DNS Rewrite

DNS Rewrite is a feature of the ASA and PIX that enable the firewall to rewrite DNS A queries when the destination server is located at the same network that the client or, for example, if the public IP address of that server is statically mapped to some DMZ address. I've implemented the following scenario using DNS Rewrite and a router running IOS as the DNS server.


To have the firewall using the DNS Rewrite feature, you need to enable DNS inspection and use the dns keyword with the static command:

class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
!
service-policy global_policy global
!
static (inside,outside) 192.168.0.150 192.168.100.150 netmask 255.255.255.255 dns
 
DNS Inspection is enabled is enabled by default:
 
asa(config)# sh run all policy-map type inspect dns
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  no message-length maximum server
  no message-length maximum client
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced
policy-map type inspect dns _default_dns_map
 description Default DNS policy-map
 parameters
  no message-length maximum
  no message-length maximum server
  no message-length maximum client
  dns-guard
  protocol-enforcement
  nat-rewrite
  no id-randomization
  no id-mismatch
  no tsig enforced

The client connects to external destinations using a PAT overload:

interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
nat (inside) 1 192.168.100.0 255.255.255.0
global (outside) 1 interface

I configured the router as a DNS server using the following settings:
 
ip host mylab.net mx 10 mail.mylab.net
ip host mylab.net mx 20 mail2.mylab.net
ip host ns1.mylab.net 192.168.0.254
ip host ftp.mylab.net 192.168.0.150
!
interface Ethernet1/0
 ip address 192.168.0.254 255.255.255.0
!
ip dns server
ip dns primary mylab.net soa \ ns1.mylab.net mail@mylab.net 86400 3600 1209600 86400

If the DNS Inspection is not enabled or the static rule is not set with the dns keywork, connections between client and server using name resolution won't work (except whether an Outside NAT is set):
 
root@host1:~# ping ftp.mylab.net
PING ftp.mylab.net (192.168.0.150): 56 data bytes
^C
--- ftp.mylab.net ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

After to enable the required features, the connections work fine:
 
root@host1:~# ping ftp.mylab.net
PING ftp.mylab.net (192.168.100.150): 56 data bytes
64 bytes from 192.168.100.150 seq=0 ttl=64 time=26.597 ms
64 bytes from 192.168.100.150 seq=1 ttl=64 time=2.837 ms
64 bytes from 192.168.100.150 seq=2 ttl=64 time=2.003 ms

--- ftp.mylab.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/maz = 2.003/10.479/26.597 ms

Router processing the query:

Router#debug domain replies detail
*Aug 13 00:06:22.955: DNS: Send reply from internal information:
*Aug 13 00:06:22.955: DOM: id=313, response, opcode=0, aa=1, tc=0, rd=1, ra=1
*Aug 13 00:06:22.959:       rcode=0, qdcount=1, ancount=1, nscount=0, arcount=0
*Aug 13 00:06:22.959:       query name is ftp.mylab.net, qtype=1, class=1
*Aug 13 00:06:22.959: Answer section:
*Aug 13 00:06:22.959:       Name='ftp.mylab.net'
*Aug 13 00:06:22.959:       RR type=1, class=1, ttl=10, data length=4
*Aug 13 00:06:22.959:         IP=192.168.0.150
*Aug 13 00:06:22.963: Authority section:
*Aug 13 00:06:22.963: Additional record section:
*Aug 13 00:06:22.963: DNS: Finished processing query (id#313) in 0.012 secs
*Aug 13 00:06:22.967: DNS: Send reply from internal information:
*Aug 13 00:06:22.967: DOM: id=19567, response, opcode=0, aa=1, tc=0, rd=1, ra=1
*Aug 13 00:06:22.967:       rcode=0, qdcount=1, ancount=0, nscount=1, arcount=0
*Aug 13 00:06:22.967:       query name is ftp.mylab.net, qtype=28, class=1
*Aug 13 00:06:22.967: Answer section:
*Aug 13 00:06:22.971: Authority section:
*Aug 13 00:06:22.971:       Name='mylab.net'
*Aug 13 00:06:22.971:       RR type=6, class=1, ttl=86400, data length=53
*Aug 13 00:06:22.971:         MNAME='\ ns1.mylab.net'
*Aug 13 00:06:22.971:         RNAME='mail@mylab.net'
*Aug 13 00:06:22.971:         SERIAL=3223929982, REFRESH=86400, RETRY=3600, EXPIRE=1209600, MINIMUM=86400
*Aug 13 00:06:22.975: Additional record section:
*Aug 13 00:06:22.975: DNS: Finished processing query (id#19567) in 0.020 secs


asa(config)# end
asa# wr mem
Posted by at 3:40 AM
Categories: , ,

1 comment:

  1. Renato MoraisAugust 25, 2010 at 9:40 AM

    @H�bner
    Oi Hábner,

    Na época em que fiz as provas do CCSP, ainda não existia o CCNA Security. Pelo que sei dessa prova, você deve focar bastante em SDM e nos conceitos das soluções de segurança. Não tenho material para a prova, mas precisando de alguma ajuda, fica a vontade para entrar em contato comigo.

    Abraço!

    ReplyDelete

Subscribe to: Post Comments (Atom)