Destination NAT with DNS Rewrite Use Cases
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Destination NAT with DNS Rewrite Use Cases
The destination NAT topology with a DNS Server and the
DNS response determine how you configure DNS Rewrite (in the reverse
or forward direction).
When you use destination NAT to perform a static translation
from one IPv4 address to a different IPv4 address, you may also
be using DNS services on one side of the firewall to resolve FQDNs
for a client. When the DNS response containing the IP address traverses
the firewall to go to the client, the firewall doesn’t perform NAT
on that IP address, so the DNS server provides an internal IP address
to an external device, or vice versa, resulting in the DNS client
being unable to connect to the destination service.
To avoid that problem, you can configure the firewall
to rewrite the IP address in the DNS response (from the A
Record) based on the translated IP address configured for the NAT
policy rule. The firewall performs NAT on the IPv4 address (the
FQDN resolution) in the DNS response before forwarding the response
to the client; thus, the client receives the appropriate address
to reach the destination service. A single NAT policy rule causes the
firewall to perform NAT on packets that match the rule, and also
causes the firewall to perform NAT on IP addresses in DNS responses
that match the original destination address or translated destination
address in the rule.
DNS rewrite occurs at the global level; the firewall maps the
Destination Address on the Original Packet tab to the Destination
Address on the Translated Packet tab. All other fields on the Original
Packet tab are ignored. When a DNS response packet arrives, the
firewall checks whether the response contains any A Record that
matches one of the mapped destination addresses, based on the direction,
as follows.
You must specify how the firewall performs NAT on the IP address
in the DNS response relative to the NAT rule:
reverse
or forward
:- reverse—If the DNS response matches theTranslatedDestination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of192.168.1.10 to 1.1.1.10.
- forward—If the DNS response matches theOriginalDestination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of1.1.1.10 to 192.168.1.10.
If you have an overlapping NAT rule with DNS Rewrite disabled,
and a NAT rule below it that has DNS Rewrite enabled and is included in
the overlap, the firewall rewrites the DNS response according to
the overlapped NAT rule (in either
reverse
or forward
setting).
The rewrite takes precedence and the order of the NAT rules is ignored.Consider the use cases for configuring DNS rewrite: