Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
3
Helpful
4
Replies

NAT problem (DNS being doctored)

n.oneill
Level 1
Level 1

‎02-14-2003 02:44 PM - edited ‎03-02-2019 05:07 AM

I have discovered a feature of NAT which is causing a problem.

The feature was added in 12.2.13(T) for a default inside server so that port translations are not required if connections are to one inside device.

The problem I have discovered is that some apps use DNS to discover the outside address of the NAT device so that they can work properly. What is happening though is the DNS reply is being doctored to the inside address which is causing application problems.

I would like to have this feature enabled but disable the doctoring of DNS records if thats possible.

An example of this is action as follows:

NS Lookup queries:

> host217-34-81-150.in-addr.btopenworld.com

Server: inh2dns08.imsnet2.btopenworld.com

Address: 213.120.62.104

Non-authoritative answer:

Name: host217-34-81-150.in-addr.btopenworld.com

Address: 192.168.0.1

Now the debug:

Router(config)#ip nat inside source static 192.168.0.1 interface dialer1

Router(config)#

Feb 14 22:36:53.441: NAT: i: udp (192.168.0.1, 2273) -> (213.120.62.104, 53) [55

939]

Feb 14 22:36:53.441: NAT: s=192.168.0.1->217.34.81.150, d=213.120.62.104 [55939]

Feb 14 22:36:53.477: NAT: o: udp (213.120.62.104, 53) -> (217.34.81.150, 2273) [

31827]

Feb 14 22:36:53.485: NAT: DNS resource record 217.34.81.150 -> 192.168.0.1

And with "no ip nat inside source static 192.168.0.1 interface dialer 1"

> host217-34-81-150.in-addr.btopenworld.com

Server: inh2dns08.imsnet2.btopenworld.com

Address: 213.120.62.104

Non-authoritative answer:

Name: host217-34-81-150.in-addr.btopenworld.com

Address: 217.34.81.150

Any command to disable the DNS doctoring?

Many thanks in advance.

Labels:
0 Helpful
4 Replies 4

ndoshi
Cisco Employee
Cisco Employee

‎02-16-2003 09:25 PM

Hi

I am not sure on this but have you tried no ip domain-lookup ?

0 Helpful

n.oneill
Level 1
Level 1
In response to ndoshi

‎02-17-2003 01:35 AM

It's not as simple as that Im afraird, I already have "no ip domain-lookup" as part of my config.

0 Helpful

sra
Level 1
Level 1

‎02-19-2003 01:00 AM

We have more or less the same implementation and, or course, ran into the same problems. We needed that NAT but we also needed the DNS packets unchanged.

The easiest way is to use the no-payload option of the "ip nat inside source static" command. What it does is disable the translation of the DNS payload which is, if I am not mistaken, what you need. This option was introduced with 12.2(4)T so you might have to change your IOS. We tried to use this, but this IOS version crashed my router. You might be luckier ;)

You can find some info about this at the URL below:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bae.html

n.oneill
Level 1
Level 1
In response to sra

‎02-20-2003 04:18 AM

Thanks for the reply.

Unfortunately I am running a Cisco 800 router and this feature doesn't seem to have been implemeted.

Cheers anyway.

0 Helpful
Customers Also Viewed These Support Documents