Hi everybody,

I've  the following configuration: CISCO 881, IOS 15.2(4)M6. On WAN interface is configured the 86.34.156.48/29 subnet from our ISP. Behind the router is staying 2 webserver. NAT: 86.34.156.51 <> 10.10.10.100 (private IP, server1). If I configure the BIND DNS server A records with the external IP of the server(86.34.156.51) the outside world never get the response from my DNS server(I don't know what happens there, perhaps the router does DNS doctoring or something similar ( it is a question)), and it is sure the DNS server is configured and works properly(I captured the IP packets with TCPdump). But if I configure the DNS server A records with the server private IP (10.10.10.100)  the packets is alwasy arriving to proper destination(with the server external IP, perhaps DNS doctoring too). The only one problem with this is, that the DNS packet TTL value disappear, as you can see in the below digs output.

What could I do?

            +-----+
            |         |  an other host somewhere on internet(C)
            |         |
            +-----+
                |
                |
                :
                :  internet
                :

                |  

            +-----+
            |         |      ISP's router
            |         |       black box, without acces
            +-----+

                |
                | 86.34.456.48/29
            +-----+
            |         |      CISCO 881,
            |         |       IOS 15.2(4)M6
            +-----+
                |
                |
    ------------------------------------------------------------  local private network 10.10.10.0/24
        |                                                      |
        | (86.34.156.51)                           | (Nat rule not yet attached)
        | 10.10.10.100                              | 10.10.10.101
        |                                                      |
    +-----+                                           +-----+
    |         |                                            |        |
    |         |                                            |        |
    +-----+                                           +-----+
    linux server (A)                                linux server (B)
    BIND DNS server

     style2take.ro

Here is some dig (dns diagnostic tool under linux):

From host B :  $dig style2take.ro

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42222
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;style2take.ro.                 IN      A

;; ANSWER SECTION:
style2take.ro.          0       IN      A       10.10.10.100                                                <-- here you can see the TTL is 0

;; Query time: 52 msec
;; SERVER: 193.231.100.130#53(193.231.100.130)
;; WHEN: Fri Feb 20 10:27:25 EET 2015
;; MSG SIZE  rcvd: 58 

From host B: $dig @10.10.10.100 style2take.ro

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65374
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;style2take.ro.                 IN      A

;; ANSWER SECTION:
style2take.ro.          3600    IN      A       10.10.10.100                                                <-- here you can see the TTL is 3600

;; AUTHORITY SECTION:
style2take.ro.          3600    IN      NS      ns1.style2take.ro.
style2take.ro.          3600    IN      NS      ns2.style2take.ro.

;; ADDITIONAL SECTION:
ns1.style2take.ro.      3600    IN      A       10.10.10.100
ns2.style2take.ro.      3600    IN      A       10.10.10.100

;; Query time: 0 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Fri Feb 20 10:28:58 EET 2015
;; MSG SIZE  rcvd: 126

From host C : $dig style2take.ro

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32364
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;style2take.ro.                 IN      A

;; ANSWER SECTION:
style2take.ro.          0       IN      A       86.34.156.51                                                <-- here you can see the TTL is 0

;; AUTHORITY SECTION:
ro.                     106161  IN      NS      sns-pb.isc.org.
ro.                     106161  IN      NS      primary.rotld.ro.
ro.                     106161  IN      NS      sec-dns-a.rotld.ro.
ro.                     106161  IN      NS      sec-dns-b.rotld.ro.
ro.                     106161  IN      NS      dns-at.rotld.ro.
ro.                     106161  IN      NS      dns-ro.denic.de.

;; Query time: 149 msec
;; SERVER: 82.79.24.74#53(82.79.24.74)
;; WHEN: Fri Feb 20 10:29:52 2015
;; MSG SIZE  rcvd: 201

From host C: $dig @86.34.156.51 style2take.ro

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48385
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;style2take.ro.                 IN      A

;; ANSWER SECTION:
style2take.ro.          0       IN      A       86.34.156.51                                                <-- here you can see the TTL is 0

;; AUTHORITY SECTION:
style2take.ro.          0       IN      NS      ns2.style2take.ro.
style2take.ro.          0       IN      NS      ns1.style2take.ro.

;; ADDITIONAL SECTION:
ns1.style2take.ro.      0       IN      A       86.34.156.51
ns2.style2take.ro.      0       IN      A       86.34.156.51

;; Query time: 29 msec
;; SERVER: 86.34.156.51#53(86.34.156.51)
;; WHEN: Fri Feb 20 10:35:05 2015
;; MSG SIZE  rcvd: 115