DNS Doctoring

I got this example from Cisco so it may be familiar to you if you have come across it.

Topology, this is gonna be screwed up until I learn how to fix it. The DMZ is actually off of the FW.

Inside: 192.168.0.0/24
Outside: 172.20.1.0/24
DMZ: 10.10.10.0/24
R2 "Web Server" outside address: 172.20.1.10
R2 "Web Server" inside address: 10.10.10.10

R1-----inside-----FW-----outisde-----R3 "dns server"
|
|
dmz
|
|
R2 "web server"


DNS rewrite performs two functions:

Translates a public address in a DNS reply to a private address
Translates a private address to a public address

Configuration:

access-list DNS extended permit tcp any any eq domain
access-list DNS extended permit udp any any eq domain
!
class-map DNS
match access-list DNS
!
!
policy-map global_policy
class DNS
inspect dns
!
service-policy global_policy global
!
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Other notes:

DNS inspection must be enabled
Translation only applies to the A-record in the DNS reply.
DNS rewrite is not compatible with static Port Address Translation (PAT)
Enforces a domain-name length of 255 bytes and a label length of 63 bytes.