Cisco ASA DNS Rewrite Evolution (Pre-9.7 vs Post-9.7)
๐ Table of Contents
๐ Introduction
In enterprise network security, Cisco ASA firewalls play a crucial role in controlling traffic flow between internal and external networks. One of the more complex challenges is handling DNS resolution when NAT is involved.
This article explains how DNS rewrite behavior evolved from pre-9.7 ASA versions to modern ASA 9.7+ systems.
๐จ The Core Problem
Consider this scenario:
- Internal clients query a public DNS server
- A web server has a private IP internally
- It is NATed to a public IP for external access
Issue: Internal clients receive public IPs, forcing unnecessary routing through the firewall.
๐ฝ Expand: Why this is inefficient
Traffic may hairpin through NAT unnecessarily, increasing latency, firewall load, and routing complexity.
๐ฐ️ Pre-9.7 ASA Behavior
Older ASA versions used the static command with DNS keyword.
static (inside,outside) 203.0.113.10 192.168.1.10 dns
This enabled DNS rewrite functionality.
How it worked
- Intercept DNS responses
- Rewrite A-record IP addresses
- Return internal or external IP based on source interface
๐ฝ Expand: Bidirectional behavior
- Inside → Outside: private IP rewritten to public IP
- Outside → Inside: public IP rewritten to private IP
๐ DNS Rewrite Mechanism
The ASA acted like a smart DNS proxy:
- Inspected DNS packets
- Modified response payload
- Preserved query integrity
policy-map global_policy class inspection_default inspect dns
๐ ASA 9.7+ Improvements
Cisco redesigned NAT and integrated DNS handling directly into NAT rules.
Key improvement
- No need for static DNS rewrite dependency
- Cleaner NAT-based configuration
- Better scalability and predictability
⚙️ NAT Configuration Example
object network WEB-SERVER host 192.168.1.10 nat (inside,outside) static 203.0.113.10 dns
Explanation:
- 192.168.1.10 = internal server
- 203.0.113.10 = public NAT IP
dns= enables automatic DNS rewriting
๐ DNS Inspection Role
Even in ASA 9.7+, DNS inspection is still critical.
๐ฝ Expand: Why inspection is required
- Parses DNS payloads
- Enables A-record modification
- Prevents malformed DNS bypass
show service-policy | include dns
๐ Pre vs Post 9.7 Comparison
| Feature | Pre-9.7 ASA | Post-9.7 ASA |
|---|---|---|
| DNS Rewrite Method | Static command | NAT-based DNS option |
| Configuration Complexity | High | Low |
| Scalability | Limited | Improved |
| Inspection Dependency | Required | Still required |
๐ป CLI Simulation
Verify DNS inspection
show run policy-map global_policy
Debug DNS flow
debug dns detail
Expected Output
DNS Request received from 10.1.1.5 Rewriting A record: 203.0.113.10 → 192.168.1.10 Forwarding response to client
๐ Best Practices
- Always enable DNS inspection
- Use NAT-based DNS rewrite in ASA 9.7+
- Avoid legacy static DNS methods
- Monitor DNS logs regularly
- Test internal vs external resolution separately
๐ฏ Key Takeaways
- DNS rewrite solves internal/external IP mismatch
- Pre-9.7 uses static + DNS keyword
- Post-9.7 integrates DNS into NAT
- Inspection is still mandatory
- Modern ASA simplifies configuration significantly
