Support Center > Search Results > SecureKnowledge Details
How to configure DNS NAT
Solution

In some topologies, it is required to NAT reply traffic from a DNS server, so that the querying host thinks that a certain DNS entry (for example, smtp.company.com) is resolvable to an IP address other than the one written in the database of the DNS server.

 

Procedure

The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to false). When its value is set to true, the regular NAT rulebase is used to determine how to change the DNS packets.

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

Firstly, you must enable the IPS Blade on the relevant Security Gateway(s) with these settings:

For R77.x

  1. SmartDashboard - go to 'IPS' tab.

  2. Expand 'Protections' -> expand 'By Protocol' -> expand 'IPS Software Blade' -> expand 'Application Intelligence' -> click on 'DNS' group.

  3. Right-click on the 'DNS - General Settings' protection - select 'Details...':

    1. Select the relevant IPS profile - click on 'Edit...'.
    2. Verify that either the box 'UDP only' or the box 'Both TCP and UDP' is selected.
    3. Click on 'OK' to close the 'Protection Settings' window.
    4. Click on 'OK' to close the 'Protection Details' window.


  4. Right-click on the 'Non compliant DNS' protection - select 'Prevent on All Profiles'.


For R80.x

  1. In the SmartConsole, go to the Manage & Settings > Blades view.

  2. In the General section, click Inspection Settings.



  3. In the Inspection Settings > General view, select DNS - General settings.

  4. Right-click on the 'DNS - General Settings' protection - select 'Edit...':

    1. Select the relevant profile - click on 'Edit...'.
    2. Edit the relevant Inspection: verify that either the box 'UDP only' or the box 'Both TCP and UDP' is selected.
    3. Click 'OK

  5. Right-click on the 'Non-compliant DNS' protection - select 'Prevent on All Profiles'.

The above IPS settings/protection/Inspection settings does not require an IPS Blade license/subscription. Using other features in the IPS Blade may require a license. If you do not want to run a full set of IPS protections, create a dedicated IPS profile with only the "Non-compliant DNS" protection activated.

 

Secondly, enable the fw_dns_xlation property:

  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

  3. In the left upper pane, go to 'Table' - 'Global Properties' - 'properties'.

  4. In the right upper pane, select the 'firewall_properties'.

  5. Press CTRL+F (or go to 'Search' menu - 'Find') - paste fw_dns_xlation - click on 'Find Next'.

  6. In the lower pane, right-click on the fw_dns_xlation - 'Edit...' - choose "true" - click on 'OK'.

  7. Save the changes: go to 'File' menu - click on 'Save All'.

  8. Close the GuiDBedit Tool.

  9. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  10. Install the policy onto the relevant Security Gateway / Cluster object.

From this point on, the Security Gateway will apply NAT to the DNS data, according to the NAT rules.

 

Limitations

  1. IPv6 is not supported (refer to sk39374 - IPv6 Support FAQ - question "What are the most common unsupported features/products with IPv6 in releases prior to R76?").

  2. The Manual NAT rules for network objects or Automatic NAT Static rules for Host objects must be used. This feature does not work with Automatic NAT Static rules of Network objects.

  3. DNS traffic (DNS Requests) will be translated based on the Destination address in the NAT rules without considering the Source of the traffic. the NAT DNS payload requires static NAT rules in which the DNS response that needs to be translated is set as the original destination, and the requested translation for it is the translated destination. 

  4. The feature does not work for a DNS Zone Transfer (used to synchronize DNS databases between to internal DNS servers).

  5. The feature does not work for DNS Queries over TCP.

  6. Security Gateway must be between the querying host and the DNS server.

  7. Since this IPS protection is enabled, the UDP DNS traffic cannot be accelerated by SecureXL. This traffic will be processed by Medium path or Firewall path (CoreXL) depending on the Security Gateway(s) configuration.

 

Note:

If the "NAT for DNS payload" option is enabled, and the IPS protection "Non-compliant DNS" is disabled in at least one of IPS profiles, the Security Policy installation will succeed, but the following warning will appear:

"You enabled NAT on DNS payload, please make sure that DNS UDP protocol enforcement defense is enabled on the desired gateway."

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment