Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24032
Views
0
Helpful
5
Replies

DNS rewrite

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-02-2010 07:39 AM - edited ‎03-11-2019 10:04 AM

Hi All,

I have internal servers on the same segment with internal machines.

When I use an ASA to provide Internet, I can use a DNS rewrite function for the servers, so that the inside network can reach the inside servers with the private address (using a public DNS).

So, for example I have an internal server 10.1.1.1

I have the static NAT:

static (inside,outside) 20.1.1.1 10.1.1.1 dns

So, when an inside computer tries to get to mycompany.com, sends a request to the public DNS which resolves the public IP address, but when the reply comes through the ASA, the ASA then translates the DNS reply to the 10.1.1.1 address (and I can reach the server fine).

My question is:

Instead of an ASA, I have a Router 2821 12.4(24)T

Is there a way to accomplish the DNS rewrite function on the router???

ARENAS-CENTRAL(config)#ip nat inside source static 10.1.1.1 20.1.1.1 ?
  extendable  Extend this translation when used
  mapping-id  Associate a mapping id to this mapping
  no-alias    Do not create an alias for the global address
  no-payload  No translation of embedded address/port in the payload
  redundancy  NAT redundancy operation
  route-map   Specify route-map
  vrf         Specify vrf
  <cr>

ARENAS-CENTRAL(config)#

Or, is there another way to accomplish this task?

Thank you!!

Federico.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎02-08-2010 09:27 AM

Hi Federico,

   DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.

There are a few workarounds you can try on this kind of setup:

WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.

WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:

http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx

This is the best choice to do this configuration.

WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)

config t
ip dns server
ip domain lookup
name-server X.X.X.X      <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com    <<<<< PRIVATE ADDRESS OF SERVER

WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):

C:\WINNT\system32\drivers\etc

You just need to edit it with NOTEPAD. Here is what you will find when you open the file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

   This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.


WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.

Regards,

Rick.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-05-2010 10:43 AM

Federico,

Nat on a Stick is the similar function that IOS have, this, however might not be quite guaranteed that it will work as desired, please take a look at the following llink:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

hth

Ivan

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Ivan Martinon

‎02-05-2010 12:25 PM

I am almost positive that dns rewrite just works by default on IOS.

-KS

0 Helpful

Go to solution
Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎02-08-2010 09:27 AM

Hi Federico,

   DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.

There are a few workarounds you can try on this kind of setup:

WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.

WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:

http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx

This is the best choice to do this configuration.

WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)

config t
ip dns server
ip domain lookup
name-server X.X.X.X      <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com    <<<<< PRIVATE ADDRESS OF SERVER

WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):

C:\WINNT\system32\drivers\etc

You just need to edit it with NOTEPAD. Here is what you will find when you open the file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

   This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.


WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.

Regards,

Rick.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Ricardo Prado Rueda

‎02-10-2010 10:37 AM

Excellent reply Rick!

I used workaround#2.

Thank you very much!!

Federico.

0 Helpful

Go to solution
stefan.egger
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-08-2012 08:46 AM

DNS rewrite is enabled by default where:

- a static NAT is configured on the router with the outside and the inside address of the inside SERVER A

- and the router sees a DNS reply from the outside DNS containing the outside NAT IP for SERVER A

In this case the router rewrites the IP for SERVER A from the outside NAT to the inside NAT IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card