DNS ALG

Understanding DNS

Domain Name System (DNS) is an application-layer protocol used to map network IP addresses to host domain names.

DNS uses the Client/Server (C/S) structure. The DNS query process in UDP mode is used as an example to describe the interaction between the DNS client and the DNS server.

Figure 1 DNS packet exchange

1. The client requests domain name www.huawei.com towards the DNS server.
2. The DNS server carries the IP address corresponding to the domain name in the application-layer information of the DNS reply packet and sends the packet to the client.
3. The client initiates access to the received IP address.

Understanding DNS ALG

As shown in Figure 2, a FW is deployed at the border of an enterprise network as the security gateway. To enable the private DNS server and web server to provide services for external systems, you need to configure NAT Server on the FW to map the public address of the server to the corresponding private address. In addition to public IP addresses of interfaces on the egress gateway, the enterprise applies for two IP addresses (1.1.1.10 and 1.1.1.11) towards the ISP for the intranet DNS server and web server to provide services for external systems. The DNS server has the mapping between the web server domain name and private IP address.

Figure 2 DNS ALG

1. The client sends a domain name resolution request to the DNS server to request the IP address corresponding to the domain name of the web server.
2. The DNS server returns the private address of the web server to the client.
3. The client directly initiates access to the private address of the web server. The access fails.

The DNS ALG function is used to modify the address information in the application layer information of DNS reply packets. In non-NAT scenarios, the address information does not need to be modified. Therefore, the DNS ALG function does not need to be enabled in non-NAT scenarios.