The following use cases illustrate destination NAT with DNS rewrite enabled in the reverse direction. The difference between these two use cases is simply whether the DNS client, DNS server, and destination server are on the public or internal side of the firewall. In either case, the DNS client is on the opposite side of the firewall from its ultimate destination server. (If your DNS client and its ultimate destination server are on the same side of the firewall, consider Destination NAT with DNS Rewrite Forward Use Cases 3 and 4.)

Use case 1 illustrates the DNS client on the public side of the firewall, while the DNS server and the ultimate destination server are both on the internal side. This case requires DNS rewrite in the reverse direction. The DNS client queries for the IP address of red.com. Based on the NAT rule, the firewall translates the query (originally going to public address 1.1.2.1) to internal address 192.168.2.1. The DNS server responds that red.com has IP address 192.168.2.10. The rule includes Enable DNS Rewrite - reverse and the DNS response of 192.168.2.10 matches the destination Translated Address of 192.168.2.0/24 in the rule, so the firewall translates the DNS response using the reverse translation that the rule uses. The rule says translate 1.1.2.0/24 to 192.168.2.0/24, so the firewall rewrites the DNS response of 192.168.2.10 to 1.1.2.10. The DNS client receives the response and sends to 1.1.2.10, which the rule translates to 192.168.2.10 to reach server red.com.

Use case 1 summary: DNS client and destination server are on opposite sides of the firewall. The DNS server provides an address that matches the translated destination address in the NAT rule, so translate the DNS response using the reverse translation of the NAT rule.

Use case 2 illustrates the DNS client on the internal side of the firewall, while the DNS server and the ultimate destination server are both on the public side. This case requires DNS rewrite in the reverse direction. The DNS client queries for the IP address of red.com. Based on the NAT rule, the firewall translates the query (originally going to internal address 192.168.2.1) to the public address 1.1.2.1. The DNS server responds that red.com has IP address 1.1.2.10. The rule includes Enable DNS Rewrite - reverse and the DNS response of 1.1.2.10 matches the destination Translated Address of 1.1.2.0/24 in the rule, so the firewall translates the DNS response using the reverse translation that the rule uses. The rule says translate 192.168.2.0/24 to 1.1.2.0/24, so the firewall rewrites the DNS response 1.1.2.10 to 192.168.2.10. The DNS client receives the response and sends to 192.168.2.10, which the rule translates to 1.1.2.10 to reach server red.com.

Use case 2 summary is the same as Use case 1 summary: DNS client and destination server are on opposite sides of the firewall. The DNS server provides an address that matches the translated destination address in the NAT rule, so translate the DNS response using the reverse translation of the NAT rule.

To implement DNS rewrite, Configure Destination NAT with DNS Rewrite.