Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT problem (DNS being doctored)

I have discovered a feature of NAT which is causing a problem.

The feature was added in 12.2.13(T) for a default inside server so that port translations are not required if connections are to one inside device.

The problem I have discovered is that some apps use DNS to discover the outside address of the NAT device so that they can work properly. What is happening though is the DNS reply is being doctored to the inside address which is causing application problems.

I would like to have this feature enabled but disable the doctoring of DNS records if thats possible.

An example of this is action as follows:

NS Lookup queries:

> host217-34-81-150.in-addr.btopenworld.com

Server: inh2dns08.imsnet2.btopenworld.com

Address: 213.120.62.104

Non-authoritative answer:

Name: host217-34-81-150.in-addr.btopenworld.com

Address: 192.168.0.1

Now the debug:

Router(config)#ip nat inside source static 192.168.0.1 interface dialer1

Router(config)#

Feb 14 22:36:53.441: NAT: i: udp (192.168.0.1, 2273) -> (213.120.62.104, 53) [55

939]

Feb 14 22:36:53.441: NAT: s=192.168.0.1->217.34.81.150, d=213.120.62.104 [55939]

Feb 14 22:36:53.477: NAT: o: udp (213.120.62.104, 53) -> (217.34.81.150, 2273) [

31827]

Feb 14 22:36:53.485: NAT: DNS resource record 217.34.81.150 -> 192.168.0.1

And with "no ip nat inside source static 192.168.0.1 interface dialer 1"

> host217-34-81-150.in-addr.btopenworld.com

Server: inh2dns08.imsnet2.btopenworld.com

Address: 213.120.62.104

Non-authoritative answer:

Name: host217-34-81-150.in-addr.btopenworld.com

Address: 217.34.81.150

Any command to disable the DNS doctoring?

Many thanks in advance.

4 REPLIES
Cisco Employee

Re: NAT problem (DNS being doctored)

Hi

I am not sure on this but have you tried no ip domain-lookup ?

New Member

Re: NAT problem (DNS being doctored)

It's not as simple as that Im afraird, I already have "no ip domain-lookup" as part of my config.

sra
New Member

Re: NAT problem (DNS being doctored)

We have more or less the same implementation and, or course, ran into the same problems. We needed that NAT but we also needed the DNS packets unchanged.

The easiest way is to use the no-payload option of the "ip nat inside source static" command. What it does is disable the translation of the DNS payload which is, if I am not mistaken, what you need. This option was introduced with 12.2(4)T so you might have to change your IOS. We tried to use this, but this IOS version crashed my router. You might be luckier ;)

You can find some info about this at the URL below:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bae.html

New Member

Re: NAT problem (DNS being doctored)

Thanks for the reply.

Unfortunately I am running a Cisco 800 router and this feature doesn't seem to have been implemeted.

Cheers anyway.

124
Views
3
Helpful
4
Replies
CreatePlease to create content