Destination NAT with DNS Rewrite Reverse Use Cases
Use cases for destination NAT with DNS rewrite in the
reverse direction.
The following use cases illustrate destination NAT
with DNS rewrite enabled in the reverse direction.
The difference between these two use cases is simply whether the
DNS client, DNS server, and destination server are on the public
or internal side of the firewall. In either case, the DNS client
is on the opposite side of the firewall from its ultimate destination
server. (If your DNS client and its ultimate destination server
are on the same side of the firewall, consider Destination NAT with DNS Rewrite Forward Use Cases 3 and 4.)
Use case 1 illustrates the DNS client on the public side of the
firewall, while the DNS server and the ultimate destination server
are both on the internal side. This case requires DNS rewrite in
the reverse direction. The DNS client queries for the IP address
of red.com. Based on the NAT rule, the firewall translates the query
(originally going to public address 1.1.2.1) to internal address
192.168.2.1. The DNS server responds that red.com has IP address
192.168.2.10. The rule includes Enable DNS Rewrite - reverse and
the DNS response of 192.168.2.10 matches the destination Translated
Address of 192.168.2.0/24 in the rule, so the firewall translates
the DNS response using the reverse translation
that the rule uses. The rule says translate 1.1.2.0/24 to 192.168.2.0/24,
so the firewall rewrites the DNS response of 192.168.2.10 to 1.1.2.10. The
DNS client receives the response and sends to 1.1.2.10, which the
rule translates to 192.168.2.10 to reach server red.com.
Use case 1 summary: DNS client and destination server are on
opposite sides of the firewall. The DNS server provides an address
that matches the translated destination address in the NAT rule,
so translate the DNS response using the reverse translation
of the NAT rule.
Use case 2 illustrates the DNS client on the internal side of
the firewall, while the DNS server and the ultimate destination
server are both on the public side. This case requires DNS rewrite
in the reverse direction. The DNS client queries for the IP address
of red.com. Based on the NAT rule, the firewall translates the query
(originally going to internal address 192.168.2.1) to the public
address 1.1.2.1. The DNS server responds that red.com has IP address
1.1.2.10. The rule includes Enable DNS Rewrite - reverse and
the DNS response of 1.1.2.10 matches the destination Translated
Address of 1.1.2.0/24 in the rule, so the firewall translates the
DNS response using the reverse translation
that the rule uses. The rule says translate 192.168.2.0/24 to 1.1.2.0/24,
so the firewall rewrites the DNS response 1.1.2.10 to 192.168.2.10.
The DNS client receives the response and sends to 192.168.2.10,
which the rule translates to 1.1.2.10 to reach server red.com.
Use case 2 summary is the same as Use case 1 summary: DNS client
and destination server are on opposite sides of the firewall. The
DNS server provides an address that matches the translated destination
address in the NAT rule, so translate the DNS response using the reverse translation
of the NAT rule.