Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  DNS Doctoring on SSG5

    Posted 12-28-2009 05:35

    Hi,

     

    Is there a way on the SSG firewall to rewrite the incoming DNS packet to the internal ip of the webserver in the DMZ?

    The inside users are using an external DNS server, so the answer show the external ip address of the webserver.

    The connection would then go from inside--->outside--->dmz and that doesn't work, of course.

     

    Changing the hosts file of all users or installing an own DNS server is not an option.......

     

    Cisco does it by DNS doctoring or destination NAT.

     

    Any idea's?

     

    Thanks



  • 2.  RE: DNS Doctoring on SSG5
    Best Answer

    Posted 12-30-2009 21:13

    Here's how to do this:

     

    DNS hostname: www.company.com -> 2.2.2.2

    NAT: 2.2.2.2 -> 192.168.1.2 (DMZ)

    Clients: 192.168.2.0/24 (TRUST)

     

    1) Setup your NAT as you usually do

    2) Setup a rule from UNTRUST -> DMZ to access www.company.com from the outside

    3) Setup a rule from TRUST -> UNTRUST, where the UNTRUST object is the MIP object

     

    I haven't done this in a while but I think the above is all you need and it SHOULD work.  I know it's possible as I've done it in the past.  The main thing is that you need a rule from TRUST->UNTRUST where the destination is the actual MIP address.  If you have a TRUST->UNTRUST with any->any permit, it will not work.  I think that was the trick.


    Give it a shot and let me know if it works.  I don't have my SSG up to test this.



  • 3.  RE: DNS Doctoring on SSG5

    Posted 01-07-2010 01:12

    THANKS!!!

     

    That did the trick!



  • 4.  RE: DNS Doctoring on SSG5

    Posted 02-05-2013 01:23

    can you explain this as a option how you did this as I tried it and its not working.