Destination NAT with DNS Rewrite Forward Use Cases
Use cases for destination NAT with DNS rewrite in the
forward direction.
The following use cases illustrate destination NAT
with DNS rewrite enabled in the forward direction.
The difference between these two use cases is simply whether the
DNS client, DNS server, and destination server are on the public
or internal side of the firewall. In either case, the DNS client
is on the same side of the firewall as its ultimate destination
server. (If your DNS client and its ultimate destination server
are on opposite sides of the firewall, consider Destination NAT with DNS Rewrite Reverse Use Cases 1 and 2.)
Use case 3 illustrates the DNS client and the ultimate destination
server both on the internal side of the firewall, while the DNS
server is on the public side. This case requires DNS rewrite in
the forward direction. The DNS client queries for the IP address
of red.com. Based on Rule 1, the firewall translates the query (originally
going to internal address 192.168.1.1) to 1.1.1.1. The DNS server
responds that red.com has IP address 1.1.2.10. Rule 2 includes Enable
DNS Rewrite - forward and the DNS response of 1.1.2.10 matches
the original destination address of 1.1.2.0/24 in Rule 2, so the
firewall translates the DNS response using the same translation
the rule uses. Rule 2 says translate 1.1.2.0/24 to 192.168.2.0/24,
so the firewall rewrites DNS response 1.1.2.10 to 192.168.2.10.
The DNS client receives the response and sends to 192.168.2.10 to
reach server red.com.
Use case 3 summary: DNS client and destination server are on
the same side of the firewall. The DNS server provides an address
that matches the original destination address in the NAT rule, so
translate the DNS response using the same (forward)
translation as the NAT rule.
Use case 4 illustrates the DNS client and the ultimate destination
server both on the public side of the firewall, while the DNS server
is on the internal side. This case requires DNS Rewrite in the forward
direction. The DNS client queries for the IP address of red.com.
Based on Rule 2, the firewall translates the query (originally going
to public destination 1.1.2.1) to 192.168.2.1. The DNS server responds
that red.com has IP address 192.168.2.10. Rule 1 includes Enable
DNS Rewrite - forward and the DNS response of 192.168.2.10
matches the original destination address of 192.168.2.0/24 in Rule
1, so the firewall translates the DNS response using the same translation
the rule uses. Rule 1 says translate 192.168.2.0/24 to 1.1.2.0/24,
so the firewall rewrites DNS response 192.168.2.10 to 1.1.2.10.
The DNS client receives the response and sends to 1.1.2.10 to reach
server red.com.
Use case 4 summary is the same as Use case 3 summary: DNS client
and destination server are on the same side of the firewall. The
DNS server provides an address that matches the original destination
address in the NAT rule, so translate the DNS response using the
same (forward) translation as the NAT rule.