07-09-2006 10:49 PM - edited 03-03-2019 01:17 PM
Dear,
We have a 837 ADSL router, but are unable to make our DNS server accesible from the outside
we have following NAT static entry:
ip nat inside source static udp 192.168.0.253 53 213.49.131.61 53 extendable
All query's reach our server as expected, but the answer does not get back. (If our DNS server, and the PC sending the query both use a port other port than 53, and we change the NAT entry to map port 53 to an other local port it works OK)
Full configuration in attachment?
Can anyone please help me out?
Is there a secial command to allow DNS-replies to pass to the router ?
07-10-2006 02:46 AM
Without a look at your config, did you try giving TCP 53 translation as well ?
07-10-2006 03:16 AM
Yes,
both UDP and TCP port 53 are translated (and port 53 TCP works fine, 53 UDP not)
ip nat inside source static tcp 192.168.0.253 53 213.49.131.61 53 extendable
ip nat inside source static udp 192.168.0.253 53 213.49.131.61 53 extendable
I've done some more investigation, and I found out that the query is NAT-ed correctly, but the answer is not NAT-ed.
So the source address of the answer remains 192.168.0.253, and is then blocked by the following lines in the access-list
access-list 112 permit ip host 213.49.131.61 any
access-list 112 deny ip any any
(this has been discovered by enableing logging for this last line)
Any idea's why data from UDP port 53 or to udp port 53 is not NAT-ed?
07-10-2006 03:44 AM
Hello,
you actually only need UDP port 53 for DNS to be translated. Does this work when you take the access list off the interface alltogether ? If the access list is a requirement, try and change it to:
access-list 112 permit ip host 213.49.131.61 any
access-list 112 permit ip any host 213.49.131.61
access-list 112 deny ip any any
Regards,
GNT
07-10-2006 04:13 AM
i've changed the access-list to
access-list 112 permit ip any any
but it still doesn't work. (as I expected as packets with a source address of 192.168.0.253 are unroutable through the internet as this is a reserved address)
The problem is with the NAT. Why are the DNS respones not NAT-ed?
07-13-2006 06:59 AM
Problem solved
There has to be a 1-1 NAT rule in the configuration:
ip nat inside source static 192.168.0.253 213.49.131.61
Only forwarding port 53 UDP and TCP doesn't work.
AND
The DNS server must be configured to supply A records with the local IP address, not the global IP address, otherwise the DNS response does not pass through the router!!! (surprise, surprise) The router translates the ip addresses inside the DNS respones.
It took a long time to find this out, but now everything works OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide