Configure DNS re-write
DNS rewrite is a feature to alter the resolved IP address for a particular domain name or URL, instead of returning the default resolved DNS record to client, essentially "spoofing" users to connect to another IP for a particular domain name or URL.
It typically required in below scenario:
- a private host (eg. DMZ server) is translated to a public IP, and accessible to public Internet (eg. web server, email server, CCTV, etc)
- external users access to the DMZ server via public IP using domain names (eg. abc.test.com). Name resolution is done by external DNS server, which resolves domain name to a public IP based on A-records settings. So ultimately, external users access to DMZ server via public IP address.
- Internal users also need to access the same DMZ server using same domain name (eg. abc.test.com), but must access via private IP address. However, there’s no internal DNS server to resolve the same domain name to server’s actual private IP address. So by default, Internal client’s PC also resolve the same domain to public IP address for the DMZ server and tends to connect to server using public IP instead of private IP. This is where the problem is, and this is what DNS rewrite is for. DNS rewrite allows mbox to rewrite DNS A-record for specific hosts, particularly when internal clients are trying to access private servers using a public domain name.
- DNS re-write can also be used for DNS-based web filtering. For example, if we want to block users to access to certain sites, we can alter the URL-IP mapping to a different server/IP showing blocking messages, so that users are unable to access to their intended websites/URL (therefore blocked).
Below is how mbox DNS rewrite works:
- when external users are accessing DMZ server via domain name, their public DNS server will resolve the domain name to a public IP. mbox does Destination NAT for the public IP to translate to server private IP address.
- when internal users are access DMZ server and external Internet, here is how it works:
- all internal clients DNS resolution requests are intercepted and redirected to mbox, which now acts as an Internal DNS server. The “redirection” can be done through mbox “firewall-dnat redirect” option, or simply configure mbox LAN IP to be the DNS server for internal clients (in their DHCP pool configuration option.)
- if there’s a matching in the “ip host <domain-name> <private-ip> rewrite” config, mbox will return the statically configured <private-ip> for the desired <domain-name>.
- if there’s no matching, mbox will use its upstream nameserver to resolve the domain name, so it’s important to configure mbox’s own upstream name-server “ip name-server <server1> <server2>”
In this example,
- all users from LAN must access to server abc.test.com via 10.1.1.2
- all users from Internet will access to server abc.test.com via 188.8.131.52
- all other DNS resolution requests from LAN users will be forwarded to upstream DNS server (184.108.40.206, 220.127.116.11)
interface eth 0
description "connection to Internet"
ip address 18.104.22.168/28
ip address 22.214.171.124/28 remarks “public IP for DMZ server”
interface eth 1
description "connection to LAN"
ip address 172.16.1.1/16
interface eth 2
description "connection to DMZ"
ip address 10.1.1.1/24
!static DNS rewrite to resolve DMZ server to private IP for internal clients
ip host test.com 10.1.1.2 rewrite <--redirect to an DMZ IP (for internal users)
ip host playboy.com 127.0.0.1 rewrite <-- domain blocking
!upstream DNS server for all other name resolution requests
ip name-server 126.96.36.199 188.8.131.52
ip route 0.0.0.0/0 nexthop 184.108.40.206
ip dhcp-server 172.16.1.0 255.255.255.0
dns 172.16.1.1 <-- users' name-server must be mbox LAN IP
range 172.16.1.5 172.16.1.254
firewall-input 13 permit all udp src 172.16.1.0/24 dport 53 remark "permit DNS request from internal users"
!DNAT for external clients to access DMZ server (normal static NAT)
firewall-dnat 11 translate ip dst 220.127.116.11 xdst 10.1.1.2
firewall-access 10 permit outbound eth0 remark "permit outbound Internet access"
firewall-access 20 permit all tcp dst 10.1.1.2 dport 80 remark "permit access to DMZ web server"
firewall-snat 1 overload outbound eth0 remark "PAT for Internal users to go out"