At work we have a Cisco PIX firewall for the office. It’s decent (if a bit eccentric; that is, hard to configure), but occasionally I go through a thought exercise to see how this firewall could be replaced with a Linux firewall. Most of the functionality is easy in Linux (NAT, ACLs, VPNs, etc), but one thing I get hung up on is DNS fixup. Fixup is a monitoring service much like nf_conntrack/nf_nat in Linux, and in DNS fixup’s case can rewrite responses depending on the context. Here’s an explanation:

The players:

  • Mallory is the PIX firewall, with the network inside and the network outside. (Despite conventional naming examples, Mallory is not malicious here, but otherwise has the same attributes.)

  • Alice is the DNS server, inside, outside. Alice knows only about internal IPs in her DNS database.

  • Bob is some server, inside, outside. Bob is listed with Alice as,

  • Charlie is a client on the outside network.

  • Dave is a client on the inside network.

Now, say Charlie (outside) queries via Alice’s external IP. Alice will respond with Mallory intercepts the response, knows that Bob is on the inside and on the outside, so she rewrites the response as and gives it to Charlie.

It also works in the opposite direction. Say is a web server served by Bob, and DNS is hosted by an outside DNS provider which obviously returns for Now say Dave (inside) queries via Alice. Alice doesn’t know about, so she goes out to the Internet (through Mallory) to find it. The outside DNS responds with Again, Mallory knows about Bob’s mapping and will rewrite the response to to Alice, which then gives the final answer to Dave.

As far as I know, there is nothing in Linux to facilitate this. Yes, I know about split-horizon DNS, but it’s a pain to maintain multiple zone copies, and Alice’s DNS service would have to be moved to Mallory directly. The PIX does this all automatically for you (if you want; of course it can be disabled).

(Please, prove me wrong.)