2 Replies Latest reply on Jul 9, 2015 2:15 AM by mikeynguyen

    How do I use DNS to redirect traffic from an access list rule?


      We have our own private network connecting to another companys private network which we need to forward traffic to. One of our current rules is forwarding our syslogs to our McAfee Firewall Enterprise and that undergoes a source NAT and redirected to the other companys syslog collector using IP addresses. For resilience, we want to replace the redirect IP address with a host.


      So in our development environment, we have configured the firewall in transparent mode and created a DNS server on Windows with A records and reverse lookup. We can verify that the DNS resolves the host using the CLI command "dig". But when we tested it, the host does not seem to resolve as the audit show that the destination is The host definition only has the name of the server we want to connect to and nothing in the IP address box because we want the firewall to find out where to send it.


      Any ideas on how to get something from the internal network sending stuff to the external network without knowing any information about the external network and let the firewall do all the work.

        • 1. Re: How do I use DNS to redirect traffic from an access list rule?

          In Transparent DNS, each Zone on the firewall has its own DNS server specified.  If a query comes in from the DMZ zone and it hits a rule that uses a Host or Domain object the DNS server for the DMZ zone is queried.  If that DNS server specified for the DMZ zone actually resides off a different zone (say, internal) you must then have a Rule to pass DNS traffic from the DMZ to the internal zone.  By default, on all firewalls, there is a DNS rule which passes all DNS traffic from all zones to all zones to the DNS server you specified when you initially configured the firewall.  If you change or add DNS servers to Zones you must then specify them in that rule as a Destination object.  In regards to why this works using 'dig' and not via the Access Control Rules it's because dig is most likely using a different DNS server than what you have specified in your DNS config.  The firewall uses the DNS servers listed in /etc/resolv.conf.dflt (in that order) when you do queries on the CLI and does not require rules to do queries.


          Please read my answers in this Community thread about using DNS-objects in your policy.  The short answer is do not use DNS-objects in your policy unless you have absolute control over the DNS replies.  Your firewall is relying on unreliable-UDP for critical policy decisions.  If, in your example above, someone rebooted that DNS server or it crashed, your rules to this external site will not work until that server starts replying again.  Thus, your policy would work great if you used IP objects but now does not work because some other device is not working correctly.

          • 2. Re: How do I use DNS to redirect traffic from an access list rule?

            Hi sliedl,


            I have actually solved it. I only had one DNS server configured (both internal and external had the DNS configured as the external DNS server) so I couldn't be using another DNS server and the solution did not need a rule to pass DNS traffic to another zone. The configuration I had was correct but I was running version 8.3.2 and by upgrading to 8.3.2P06 it fixed the problem.


            I looked at adding "dns" on the host line in nsswitch.conf, which resulted in me being able to ping using the host name where before it was not resolving. With the host name being able to be resolved using ping and dig, I concluded that there must have been a bug in the access-list implementation of DNS queries, especially when a tcpdump on both internal and external interfaces did not display anything using port 53.


            As for the recommendation for not using DNS-objects, our customer has stated that using static IP addresses is less reliable as these target IP addresses are likely to go down for maintenance and any change to our system requires approval even if it was an IP address change which could take days to approve. Also, any downtime as a result of a failure to the external network is not our problem but our system will need to have some sort of attempt at resilience hence the change from static IP addresses to DNS-objects.


            Kind regards