The PIX Security Appliance knows that Domain Name System (DNS) queries are a
one request, one answer conversation, so the connection slot is released
immediately after a DNS answer is received. When the DNS A record is returned,
the PIX applies address translation not only to the destination address, but
also to the embedded IP address of the web server
. This address is
contained in the user data portion of the DNS reply packet. As a result, a web
client on the inside network gets the address it needs to connect to the web
server on the inside network. Prior to PIX Security Appliance Software Version
6.2, the PIX translated the embedded IP address with the help of the
alias command. In PIX Security Appliance Software Version
6.2 or later, the PIX has full support for NAT of embedded IP addresses within
a DNS response packet.
DNS Record Translation
The PIX Security Appliance features full
support for NAT of DNS messages originating from either inside or outside
interfaces. This means that if a client on an inside network requests DNS
resolution of an inside address from a DNS server on an outside interface, the
DNS A record is translated correctly. It is no longer necessary to use the
alias command to perform DNS doctoring.
In Figure
, the
client on the inside network issues an HTTP request to server 10.0.0.10, using
the hostname cisco.com. The PIX Security Appliance translates the non-routable
source address of the web client in the IP header and forwards the request to
the DNS server on its outside interface. When the DNS A record is returned, the
PIX applies address translation not only to the destination address, but also
to the embedded IP address of the web server. This address is contained in the
user data portion of the DNS reply packet. As a result, the web client on the
inside network gets the address it needs to connect to the web server on the
inside network. NAT of DNS messages is implemented in both the
nat and static commands.