DNS rewrite

Answered Question
Feb 2nd, 2010
User Badges:
  • Green, 3000 points or more

Hi All,


I have internal servers on the same segment with internal machines.


When I use an ASA to provide Internet, I can use a DNS rewrite function for the servers, so that the inside network can reach the inside servers with the private address (using a public DNS).


So, for example I have an internal server 10.1.1.1

I have the static NAT:

static (inside,outside) 20.1.1.1 10.1.1.1 dns


So, when an inside computer tries to get to mycompany.com, sends a request to the public DNS which resolves the public IP address, but when the reply comes through the ASA, the ASA then translates the DNS reply to the 10.1.1.1 address (and I can reach the server fine).


My question is:

Instead of an ASA, I have a Router 2821 12.4(24)T

Is there a way to accomplish the DNS rewrite function on the router???


ARENAS-CENTRAL(config)#ip nat inside source static 10.1.1.1 20.1.1.1 ?
  extendable  Extend this translation when used
  mapping-id  Associate a mapping id to this mapping
  no-alias    Do not create an alias for the global address
  no-payload  No translation of embedded address/port in the payload
  redundancy  NAT redundancy operation
  route-map   Specify route-map
  vrf         Specify vrf
  <cr>

ARENAS-CENTRAL(config)#

Or, is there another way to accomplish this task?


Thank you!!


Federico.

Correct Answer by Ricardo Prado Rueda about 7 years 3 months ago

Hi Federico,

   DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.


There are a few workarounds you can try on this kind of setup:


WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.


WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:


http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx


This is the best choice to do this configuration.


WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)


config t
ip dns server
ip domain lookup
name-server X.X.X.X      <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com    <<<<< PRIVATE ADDRESS OF SERVER


WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):


C:\WINNT\system32\drivers\etc


You just need to edit it with NOTEPAD. Here is what you will find when you open the file:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host


127.0.0.1       localhost


   This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.



WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.



Regards,


Rick.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Fri, 02/05/2010 - 12:25
User Badges:
  • Cisco Employee,

I am almost positive that dns rewrite just works by default on IOS.


-KS

Correct Answer
Ricardo Prado Rueda Mon, 02/08/2010 - 09:27
User Badges:
  • Cisco Employee,
  • Events Top Contributors,

    Cisco, 2014

Hi Federico,

   DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.


There are a few workarounds you can try on this kind of setup:


WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.


WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:


http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx


This is the best choice to do this configuration.


WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)


config t
ip dns server
ip domain lookup
name-server X.X.X.X      <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com    <<<<< PRIVATE ADDRESS OF SERVER


WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):


C:\WINNT\system32\drivers\etc


You just need to edit it with NOTEPAD. Here is what you will find when you open the file:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host


127.0.0.1       localhost


   This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.



WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.



Regards,


Rick.

Federico Coto F... Wed, 02/10/2010 - 10:37
User Badges:
  • Green, 3000 points or more

Excellent reply Rick!


I used workaround#2.


Thank you very much!!


Federico.

stefan.egger Wed, 02/08/2012 - 08:46
User Badges:

DNS rewrite is enabled by default where:


- a static NAT is configured on the router with the outside and the inside address of the inside SERVER A

- and the router sees a DNS reply from the outside DNS containing the outside NAT IP for SERVER A


In this case the router rewrites the IP for SERVER A from the outside NAT to the inside NAT IP.

Actions

This Discussion