How to enable DNS Doctoring?

Description

 

DNS Doctoring allows the firewall to change the embedded IP addresses in Domain Name System (DNS) responses so that clients can connect to the correct IP address of servers.

DNS Doctoring performs two functions:

  • Translates a public address in a DNS reply to a private address when the DNS client is on a private interface.
  • Translates a private address to a public address when the DNS client is on the public interface.

 

In this KB article, we will translate the public address to a private address for external web server like www.yahoo.com.

 

Image

 

From your pc client run nslookup to check the current dns resolution like:

cmd > nslookup www.yahoo.com

 

Image

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

 

  1. Create the necessary Address Objects:
    Public_Server_IP: The public IP of the internal resource (e.g., web server, email server).  For our example will be www.yahoo.com
    Private_Server_IP: The private IP of the internal resource.
    Navigate to Object | Match Objects | Addresses
    Image
    Image
  2. Create the Nat policy rule
    Navigate to Policy | Rule and policies | NAT policies
    Image
  3. Enable option Enable DNS Doctoring
    Navigate to Policy | Rule and policies | NAT policies | Advanced/Actions
    Image

How to test it?

From your Windows pc client run a flushdns and wait few seconds. Then you should see the new internal private IP resolution for www.yahoo.com.

cmd > ipconfig /flushdns

Image

 

How It Works:
When internal clients query an external DNS server for the public IP of an internal resource (e.g., a web server), the DNS response containing the public IP is intercepted by the SonicWall firewall. DNS Doctoring will then replace the public IP in the DNS response with the private IP of the internal server. The internal clients will use the private IP to connect to the server, avoiding routing traffic through the public IP interface.This allows internal users to resolve internal resources using the correct private IP addresses without needing to change their DNS settings.

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSsp Series
Firewalls
NSv Series
Firewalls
TZ Series
not finding your answers?
Ask the Community