05-18-2009 06:16 AM - edited 03-04-2019 04:47 AM
Hello,
I have a Cisco 1841 Router, with the IOS version c1841-ipbase-mz.124-3i.bin. I have a static NAT entry in the running config, such as:
ip nat inside source static 10.0.0.1 77.77.77.77
The network layout is attached. Whenever someone in my internal network (that sends a DNS request for mydomain.com at the ISP's DNS server, instead of returning 77.77.77.77, it reads 172.16.0.10, that would be the DMZ IP of my firewall.
I understand DNS Doctoring (Rewriting) is the reason this happens.
Is there any way I can disable it?
Thank you.
05-18-2009 06:25 AM
This may be a silly question, but are your clients using an internal DNS server that has the internal ip mapped to the "mydomain.com" domain name?
If so, delete that record and see if that solves your issue.
HTH,
John
05-18-2009 06:39 AM
Okay, the situation is a little bit more complicated that illustrated in the schematic. The original question was: "How do I disable DNS doctoring", but I guess I owe an explanation, so I don't look like an idiot :)
Ok, of course i have an internal DNS server that resolves just fine. Here is the real problem:
I have a Windows XP VPN client who initiates a VPN connection to the Firewall/VPN Server (Windows XP ISA Server). Of course, the routing table on the clientlooks something like:
0.0.0.0 0.0.0.0 via <
0.0.0.0 0.0.0.0 via <
In other words, the preffered gateway is the VPN connection, which is how it should be.
However, the first DNS server interogated by my vpn client isn't the internal DNS server defined on the PPP Connection, it's the server defined on my Wired Connection, because that is the "preffered adapter".
I know, I tried to modify the "default adapter" but believe me, in XP SP3 it doesn't work, ever microsoft acknowledges that.
Back to my scenario, my VPN client sends a DNS Request, which is carried though the VPN Tunnel (becasue it;s the preffered route), NATed out my Firewall, that SNAT-ed out my router, and i get the DNS record: mydomain.com --> 172.16.0.10, simply because the request was send through my vpn connection.
So, if i have say a ftp server with the local IP: 192.168.0.10, and defined in the ISP's DNS with 77.77.77.77, then my DNS request would come 172.20.0.10, in which case i run into all sorts of problems (take my word on it, it's doesn't work).
So, any ideas ? If i managed to disable DNS doctoring then it would be OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide