Use the DNS plugin module to replace the result of a DNS query, according to a predefined IP address translation table. A common use case is for users accessing resources that resolve to the public IP address of the firewall. Since the users are behind a NAT, they would not be able to access the resource using this address. The DNS plugin replaces the public IP address in the DNS response with the appropriate internal IP address that can be reached by the client.
Step 1. Create a New NAT Table
Create a NAT table to create a list of public IP addresses and the internal IP addresses the DNS query is translated to.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click on Connections.
- Click Lock.
Create a NAT table mapping the external IP addresses to the internal IP addresses. For more information, see How to Create NAT Tables (Translation Maps).
- Click Send Changes and Activate.
Step 2. Create or Edit a Service Object
Create or edit a service object matching the DNS query of the client, and modify it to use the NAT table
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- In the left menu, click on Services.
- Edit or create a new service object for DNS queries.
- Double-click on the UDP port 53 entry. The Service Entry Parameters window opens.
- From the Available Plugins list, select dns natname=Translation Map.
- Add the name of the NAT table to the Plugin string in the following format: dns natname=YOUR NAT TABLE NAME E.g.,
dns natname=DNS-Translation
- Click OK.
- Double-click on the TCP port 53 entry. The Service Entry Parameters window opens.
- From the Available Plugins list, select dns natname=Translation Map.
- Add the name of the NAT table to the Plugin string in the following format: dns natname=YOUR NAT TABLE NAME E.g.,
dns natname=DNS-Translation
- Click OK
- Click OK.
- Click Send Changes and Activate.
Step 3. Create an Access Rule to Intercept Client DNS Queries
Create an access rule that matches DNS queries of the client using the modified service object.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Create an access rule:
- Action – Select PASS.
- Source – Select Trusted LAN
- Service – Select the modified DNS service object created in Step 2.
- Destination – Select Internet or enter the IP addresses of your DNS Servers.
- Connection Method – Select Dynamic NAT.
- Click OK.
- Drag and drop the access rule so that no access rule above it matches DNS client traffic.
- Click Send Changes and Activate.
DNS queries returning the Original IP address listed in the NAT table are now replaced by the corresponding Translated IP address.