Destination NAT with DNS Rewrite Forward Use Cases

Use cases for destination NAT with DNS rewrite in the forward direction.
The following use cases illustrate destination NAT with DNS rewrite enabled in the forward direction. The difference between these two use cases is simply whether the DNS client, DNS server, and destination server are on the public or internal side of the firewall. In either case, the DNS client is on the same side of the firewall as its ultimate destination server. (If your DNS client and its ultimate destination server are on opposite sides of the firewall, consider Destination NAT with DNS Rewrite Reverse Use Cases 1 and 2.)
Use case 3 illustrates the DNS client and the ultimate destination server both on the internal side of the firewall, while the DNS server is on the public side. This case requires DNS rewrite in the forward direction. The DNS client queries for the IP address of red.com. Based on Rule 1, the firewall translates the query (originally going to internal address 192.168.1.1) to 1.1.1.1. The DNS server responds that red.com has IP address 1.1.2.10. Rule 2 includes Enable DNS Rewrite - forward and the DNS response of 1.1.2.10 matches the original destination address of 1.1.2.0/24 in Rule 2, so the firewall translates the DNS response using the same translation the rule uses. Rule 2 says translate 1.1.2.0/24 to 192.168.2.0/24, so the firewall rewrites DNS response 1.1.2.10 to 192.168.2.10. The DNS client receives the response and sends to 192.168.2.10 to reach server red.com.
Use case 3 summary: DNS client and destination server are on the same side of the firewall. The DNS server provides an address that matches the original destination address in the NAT rule, so translate the DNS response using the same (forward) translation as the NAT rule.
nat_dns_rewrite_forward.png
Use case 4 illustrates the DNS client and the ultimate destination server both on the public side of the firewall, while the DNS server is on the internal side. This case requires DNS Rewrite in the forward direction. The DNS client queries for the IP address of red.com. Based on Rule 2, the firewall translates the query (originally going to public destination 1.1.2.1) to 192.168.2.1. The DNS server responds that red.com has IP address 192.168.2.10. Rule 1 includes Enable DNS Rewrite - forward and the DNS response of 192.168.2.10 matches the original destination address of 192.168.2.0/24 in Rule 1, so the firewall translates the DNS response using the same translation the rule uses. Rule 1 says translate 192.168.2.0/24 to 1.1.2.0/24, so the firewall rewrites DNS response 192.168.2.10 to 1.1.2.10. The DNS client receives the response and sends to 1.1.2.10 to reach server red.com.
Use case 4 summary is the same as Use case 3 summary: DNS client and destination server are on the same side of the firewall. The DNS server provides an address that matches the original destination address in the NAT rule, so translate the DNS response using the same (forward) translation as the NAT rule.
nat_dns_rewrite_forward_use4.png

Related Documentation