DNS Doctoring

Posted on 2006-05-17
Medium Priority
Last Modified: 2011-10-03
Hello everyone,
This question may have been asked here before albeit in a different scenario. Here is the problem that I am facing.

We have our internal AD DNS server sitting behind a Cisco PIX 506 firewall. We are in the process of changing our ISP's. We have, in the firewall config, the use of the alias command. This command is not supported in the PDM and I keep getting a message when I start the PDM. This means that the only way in which I can configure the pIX is through the command line.

Now with the move to the new ISP - I would like to do away with the alias command. In reading a few articles on this site regarding DNS doctoring, there have been a couple of suggestions. However the scenario's presented are slightly different from ours. We host quite a few websites on the servers inside our network. So also mail (OWA). I would like to be able to browse the websites from within the network without any problems (the internal DNS server has the records for the web sites). So if my internal DNS server has all the internal IP addresses for the web servers - I should not need any alias command on the firewall. Am I correct in that assumption? For external clients accessing my internal web servers we have the access list as well as the static entries in the firewall configuration.

In case the static command is used with an outside NAT "static (outside,inside) 209.x.x.x netmask........" will that be helpful?

One important factor is that our internal and external DNS names are the same. I am maintaining 2 DNS servers.

Any help in this matter will be highly appreciated.

Question by:ravichetal
1 Comment

Accepted Solution

stressedout2004 earned 500 total points
ID: 16703406
DNS doctoring is applicable only if the DNS is on a lower security level. PIX cannot do anything if the traffic does not pass through it in the first place. So if your saying that your internal DNS resolves the internal IP address of the web server and clients on your LAN points to this DNS server, then you have nothing to worry about.

>>One important factor is that our internal and external DNS names are the same

It doesn't matter, as long as your internal network points to the internal DNS server which resolves to the internal IP address of the server. The external DNS on the other hand should handle request coming from the outside and resolves to the public IP address of the server. You should be all set.

In this setup, you should also be able to get rid of the alias command.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question