cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

DNS Doctoring on routers

2353
Views
0
Helpful
0
Comments

     

     

    DNS Doctoring is a feature where the router/ASA/PIX opens up the DNS response coming on the outside interface from an External DNS server present on the internet and translates its Public ip to Private (if it has a static NAT entry for that public ip)

     

    This enables the internal host to receive the Private ip of the server as an answer from DNS server for the FQDN/Website name and hence communication commences with that private ip.

     

    Now this "DNS Doctoring" is enabled by Default on routers (whereas it has to be manually turned-on on ASA and PIX)

     

    Note:pre-requisite here is, DNS server needs to be present on the Internet so that the DNS response hits "ip nat outside" interface

     

     

    ** When sitting on the inside LAN segment, you cannot access the internal server using its Public NATted ip. This is a NAT limitation with routers.

    You will have to use the private ip to access that server.

     

    Ping to that Public Ip from inside host might work because Router will respond back for that ping, not the actual server. And if we use "no-alias" 
    keyword at the end of the static NAT statement, then even this ping would stop working. And again, this is an expected behaviour of router.

    Possible workarounds to accomplish the above requirement i.e access the internal server from the same LAN (
    pre-requisite for this is, use
    of FQDN to access the server. By using the public ip, there is no way we can accomplish this):


    1. Use one to one static NAT translation for the private ip of the server which will enable DNS doctoring
    2. Use an internal DNS server with the mapping of this website to the private ip
    3. Change the host file on the PC's trying to access this server from inside (which generally is not a feasible solution as there could be many hosts
    in LAN)

     

     

    Few documents to refer to:

    - PIX/ASA: Perform DNS Doctoring with the static Command and Two NAT Interfaces Configuration Example
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

     

    - "Does Cisco IOS NAT support Domain Name System (DNS) queries?" NAT FAQ's
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa31