Destination NAT with DNS Rewrite Use Cases
The destination NAT topology with a DNS Server and the
DNS response determine how you configure DNS Rewrite (in the reverse
or forward direction).
When you use destination NAT to perform a static translation
from one IPv4 address to a different IPv4 address, you may also
be using DNS services on one side of the firewall to resolve FQDNs
for a client. When the DNS response containing the IP address traverses
the firewall to go to the client, the firewall doesn’t perform NAT
on that IP address, so the DNS server provides an internal IP address
to an external device, or vice versa, resulting in the DNS client
being unable to connect to the destination service.
To avoid that problem, you can
configure the firewall
to rewrite the IP address in the DNS response (from the A
Record) based on the translated IP address configured for the NAT
policy rule. The firewall performs NAT on the IPv4 address (the
FQDN resolution) in the DNS response before forwarding the response
to the client; thus, the client receives the appropriate address
to reach the destination service. A single NAT policy rule causes the
firewall to perform NAT on packets that match the rule, and also
causes the firewall to perform NAT on IP addresses in DNS responses
that match the original destination address or translated destination
address in the rule.
DNS rewrite occurs at the global level; the firewall maps the
Destination Address on the Original Packet tab to the Destination
Address on the Translated Packet tab. All other fields on the Original
Packet tab are ignored. When a DNS response packet arrives, the
firewall checks whether the response contains any A Record that
matches one of the mapped destination addresses, based on the direction,
as follows.
You must specify how the firewall performs NAT on the IP address
in the DNS response relative to the NAT rule: reverse or forward:
- reverse—If the DNS response matches
the Translated Destination Address in the
rule, translate the DNS response using the reverse translation that
the rule uses. For example, if the rule translates IP address 1.1.1.10
to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10
to 1.1.1.10.
- forward—If the DNS response matches the Original Destination
Address in the rule, translate the DNS response using the same translation
the rule uses. For example, if the rule translates IP address 1.1.1.10
to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10
to 192.168.1.10.
If you have an overlapping NAT rule with DNS Rewrite disabled,
and a NAT rule below it that has DNS Rewrite enabled and is included in
the overlap, the firewall rewrites the DNS response according to
the overlapped NAT rule (in either reverse or forward setting).
The rewrite takes precedence and the order of the NAT rules is ignored.
Consider the use cases for configuring DNS rewrite: