02-14-2003 02:44 PM - edited 03-02-2019 05:07 AM
I have discovered a feature of NAT which is causing a problem.
The feature was added in 12.2.13(T) for a default inside server so that port translations are not required if connections are to one inside device.
The problem I have discovered is that some apps use DNS to discover the outside address of the NAT device so that they can work properly. What is happening though is the DNS reply is being doctored to the inside address which is causing application problems.
I would like to have this feature enabled but disable the doctoring of DNS records if thats possible.
An example of this is action as follows:
NS Lookup queries:
> host217-34-81-150.in-addr.btopenworld.com
Server: inh2dns08.imsnet2.btopenworld.com
Address: 213.120.62.104
Non-authoritative answer:
Name: host217-34-81-150.in-addr.btopenworld.com
Address: 192.168.0.1
Now the debug:
Router(config)#ip nat inside source static 192.168.0.1 interface dialer1
Router(config)#
Feb 14 22:36:53.441: NAT: i: udp (192.168.0.1, 2273) -> (213.120.62.104, 53) [55
939]
Feb 14 22:36:53.441: NAT: s=192.168.0.1->217.34.81.150, d=213.120.62.104 [55939]
Feb 14 22:36:53.477: NAT: o: udp (213.120.62.104, 53) -> (217.34.81.150, 2273) [
31827]
Feb 14 22:36:53.485: NAT: DNS resource record 217.34.81.150 -> 192.168.0.1
And with "no ip nat inside source static 192.168.0.1 interface dialer 1"
> host217-34-81-150.in-addr.btopenworld.com
Server: inh2dns08.imsnet2.btopenworld.com
Address: 213.120.62.104
Non-authoritative answer:
Name: host217-34-81-150.in-addr.btopenworld.com
Address: 217.34.81.150
Any command to disable the DNS doctoring?
Many thanks in advance.
02-16-2003 09:25 PM
Hi
I am not sure on this but have you tried no ip domain-lookup ?
02-17-2003 01:35 AM
It's not as simple as that Im afraird, I already have "no ip domain-lookup" as part of my config.
02-19-2003 01:00 AM
We have more or less the same implementation and, or course, ran into the same problems. We needed that NAT but we also needed the DNS packets unchanged.
The easiest way is to use the no-payload option of the "ip nat inside source static" command. What it does is disable the translation of the DNS payload which is, if I am not mistaken, what you need. This option was introduced with 12.2(4)T so you might have to change your IOS. We tried to use this, but this IOS version crashed my router. You might be luckier ;)
You can find some info about this at the URL below:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bae.html
02-20-2003 04:18 AM
Thanks for the reply.
Unfortunately I am running a Cisco 800 router and this feature doesn't seem to have been implemeted.
Cheers anyway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide