Disable DNS Doctoring on Cisco 1841

Unanswered Question
May 18th, 2009


I have a Cisco 1841 Router, with the IOS version c1841-ipbase-mz.124-3i.bin. I have a static NAT entry in the running config, such as:

ip nat inside source static

The network layout is attached. Whenever someone in my internal network (that sends a DNS request for mydomain.com at the ISP's DNS server, instead of returning, it reads, that would be the DMZ IP of my firewall.

I understand DNS Doctoring (Rewriting) is the reason this happens.

Is there any way I can disable it?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Mon, 05/18/2009 - 06:25

This may be a silly question, but are your clients using an internal DNS server that has the internal ip mapped to the "mydomain.com" domain name?

If so, delete that record and see if that solves your issue.



pestebogdan Mon, 05/18/2009 - 06:39

Okay, the situation is a little bit more complicated that illustrated in the schematic. The original question was: "How do I disable DNS doctoring", but I guess I owe an explanation, so I don't look like an idiot :)

Ok, of course i have an internal DNS server that resolves just fine. Here is the real problem:

I have a Windows XP VPN client who initiates a VPN connection to the Firewall/VPN Server (Windows XP ISA Server). Of course, the routing table on the clientlooks something like: via <> metric 1 via <> metric 10

In other words, the preffered gateway is the VPN connection, which is how it should be.

However, the first DNS server interogated by my vpn client isn't the internal DNS server defined on the PPP Connection, it's the server defined on my Wired Connection, because that is the "preffered adapter".

I know, I tried to modify the "default adapter" but believe me, in XP SP3 it doesn't work, ever microsoft acknowledges that.

Back to my scenario, my VPN client sends a DNS Request, which is carried though the VPN Tunnel (becasue it;s the preffered route), NATed out my Firewall, that SNAT-ed out my router, and i get the DNS record: mydomain.com -->, simply because the request was send through my vpn connection.

So, if i have say a ftp server with the local IP:, and defined in the ISP's DNS with, then my DNS request would come, in which case i run into all sorts of problems (take my word on it, it's doesn't work).

So, any ideas ? If i managed to disable DNS doctoring then it would be OK.


This Discussion