Disable DNS doctoring

Tommy Svensson · ‎04-27-2011

Hi.

How can i disable dns doctoring on my Cisco 1921 router? Even if i use an external DNS my router "helps" me when i try to resolv addresses that are accessible externally and NATed through my router to the appropriate host. The router looks at its own NAT table and sees the IP i am trying to access and sends me right to the local IP. In my situation this is not good and i would like to disable this feature so that i can take the "outside" to this website.

Regards Tommy Svensson

Peter Paluch · ‎04-27-2011

Hello Tommy,

Would you mind trying to add the two following commands into your global configuration mode and seeing if it helps?

no ip nat service alg tcp dns
no ip nat service alg udp dns

Best regards,

Peter

Tommy Svensson · ‎04-27-2011

Hi.

The following was what was needed:

old config = ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 extendable

new config = ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 extendable no-payload

The "no-payload" helped me out in this matter, thank you anyway for your reply in this matter.

Regards Tommy Svesson

Peter Paluch · ‎04-27-2011

Tommy,

Thank you for your reply, and also thanks for sharing your solution!

Nevertheless, I am curious - I do not have a lab handy right now but I would be very much interested in learning whether my suggestion worked or not. Did you have any time to test it?

Best regards,

Peter

Tommy Svensson · ‎04-28-2011

As my network and NAT is live i did not want to test to much as im new to this things, maybe i will test it in another enviroment later on.

Regards Tommy Svensson

Peter Paluch · ‎04-28-2011

Hi Tommy,

I understand your point. No problem. I'll test it in our lab once I have more time.

Best regards,

Peter

jxh · ‎09-20-2013

Peter, is there some syntax that works in 12.2(17a) [c2600-jk9o3s-mz.122-17a.bin]

to disable this feature? I discovered my 2611 doing the DNS payload thing, but I can't fix it with either of the answers given above:

backfire(config)#no ip nat service ?

H225 H323-H225 protocol

list Specify access list describing global addresses

skinny skinny protocol

backfire(config)#no ip nat service alg tcp dns

^

% Invalid input detected at '^' marker.

backfire(config)#ip nat inside source static 10.9.18.99 75.76.77.78 extendable ?

no-alias Do not create an alias for the global address

backfire(config)#ip nat inside source static 10.9.18.99 75.76.77.78 extendable no-payload

ip nat inside source static 10.9.18.99 75.149.147.130 extendable no-payload

^

% Invalid input detected at '^' marker.

(Same with a tcp-only static line.)

Peter Paluch · ‎09-24-2013

Hi jxh,

Unfortunately, I do not know about any other way of preventing IOS from mangling the DNS replies. We had a lengthy thread here just a few weeks ago; the router did not support the required no ip nat service alg commands although it had much more recent IOS version than yours. We just weren't able to stop the router from modifying the DNS replies over several suggestions; eventually, we gave up.

https://supportforums.cisco.com/message/4035440#4035440

Best regards,

Peter

rcepeda1993 · ‎07-04-2023

This worked for me. Thank you, Peter.