DNS Doctoring

Posted on 2006-05-17
Last Modified: 2011-10-03
Hello everyone,
This question may have been asked here before albeit in a different scenario. Here is the problem that I am facing.

We have our internal AD DNS server sitting behind a Cisco PIX 506 firewall. We are in the process of changing our ISP's. We have, in the firewall config, the use of the alias command. This command is not supported in the PDM and I keep getting a message when I start the PDM. This means that the only way in which I can configure the pIX is through the command line.

Now with the move to the new ISP - I would like to do away with the alias command. In reading a few articles on this site regarding DNS doctoring, there have been a couple of suggestions. However the scenario's presented are slightly different from ours. We host quite a few websites on the servers inside our network. So also mail (OWA). I would like to be able to browse the websites from within the network without any problems (the internal DNS server has the records for the web sites). So if my internal DNS server has all the internal IP addresses for the web servers - I should not need any alias command on the firewall. Am I correct in that assumption? For external clients accessing my internal web servers we have the access list as well as the static entries in the firewall configuration.

In case the static command is used with an outside NAT "static (outside,inside) 209.x.x.x netmask........" will that be helpful?

One important factor is that our internal and external DNS names are the same. I am maintaining 2 DNS servers.

Any help in this matter will be highly appreciated.

Question by:ravichetal
    1 Comment
    LVL 9

    Accepted Solution

    DNS doctoring is applicable only if the DNS is on a lower security level. PIX cannot do anything if the traffic does not pass through it in the first place. So if your saying that your internal DNS resolves the internal IP address of the web server and clients on your LAN points to this DNS server, then you have nothing to worry about.

    >>One important factor is that our internal and external DNS names are the same

    It doesn't matter, as long as your internal network points to the internal DNS server which resolves to the internal IP address of the server. The external DNS on the other hand should handle request coming from the outside and resolves to the public IP address of the server. You should be all set.

    In this setup, you should also be able to get rid of the alias command.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now