DNS Reply Modification (doctoring) intermittently failing

We have the following configuration that requires DNS reply modification:

1) Cisco FWSM at version 2) Firewall directly connected to our ISP. 3) A DMZ (webDMZ) containing the web servers to be doctored 4) Hosts and internal DNS server on the Inside 5) ISP dns server

The internal clients (4) resolve the web server addresses (3) through the internal DNS server (4) which pulls the DNS data from the external DNS server (5).

The FWSM (1) is configured to do the DNS reply modification to provide the internal clients (4) with the private webDMZ address.

Outside clients obtain the public NATd addresses of the webDMZ through the ISP dns server (5).

Here's what we're experiencing:

The internal DNS servers (4) correctly resolve the public web server addresses (3) through the external DNS server (5).

The FWSM (1) intermittently fails to do the DNS reply modification (DNS doctoring) and provides the public addresses for the webDMZ servers, as opposed to correctly providing the doctored/modified private address.

During a DNS reply modification failure, a dns debug trace on the FWSM shows the following:

NAT:: skipping DNS rewrite

Now the good stuff:

The failure is intermittent and will flip flop from correct to incorrect and may go back to correct or may stay incorrect. Sometimes the failure stays for a matter of only a few seconds, and sometimes the failure lasts for hours.

Clearing the local xlate for the private webdmz addresses seems to resolve the problem for an unspecified period of time.

At this point, we do not know what causes the failure.

Lastly, the problem does not affect all servers in the webDMZ. DNS doctoring/reply modification did not fail on the unaffected servers even when placed under load tests.

We have been seeing the failures by running nslookups of one of the web servers (on the webDMZ) from the inside clients (4) and specifying the ISP dns server (5). A failure is apparent with the public address is returned instead of the private address.

Anyone experience anything similar, have any recommendations or suggestions?

Thanks for your help.

Reply to
Loading thread data ...

My recommendation is to disable the DNS 'fixup' kludge and go with split DNS either with separate inside/outside servers or with BIND views.

Reply to
Rod Dorman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.