Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
2
Replies

Disable DNS Doctoring on Cisco 1841

pestebogdan
Level 1
Level 1

‎05-18-2009 06:16 AM - edited ‎03-04-2019 04:47 AM

Hello,

I have a Cisco 1841 Router, with the IOS version c1841-ipbase-mz.124-3i.bin. I have a static NAT entry in the running config, such as:

ip nat inside source static 10.0.0.1 77.77.77.77

The network layout is attached. Whenever someone in my internal network (that sends a DNS request for mydomain.com at the ISP's DNS server, instead of returning 77.77.77.77, it reads 172.16.0.10, that would be the DMZ IP of my firewall.

I understand DNS Doctoring (Rewriting) is the reason this happens.

Is there any way I can disable it?

Thank you.

Labels:
Preview file
15 KB
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎05-18-2009 06:25 AM

This may be a silly question, but are your clients using an internal DNS server that has the internal ip mapped to the "mydomain.com" domain name?

If so, delete that record and see if that solves your issue.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pestebogdan
Level 1
Level 1
In response to John Blakley

‎05-18-2009 06:39 AM

Okay, the situation is a little bit more complicated that illustrated in the schematic. The original question was: "How do I disable DNS doctoring", but I guess I owe an explanation, so I don't look like an idiot :)

Ok, of course i have an internal DNS server that resolves just fine. Here is the real problem:

I have a Windows XP VPN client who initiates a VPN connection to the Firewall/VPN Server (Windows XP ISA Server). Of course, the routing table on the clientlooks something like:

0.0.0.0 0.0.0.0 via <> metric 1

0.0.0.0 0.0.0.0 via <> metric 10

In other words, the preffered gateway is the VPN connection, which is how it should be.

However, the first DNS server interogated by my vpn client isn't the internal DNS server defined on the PPP Connection, it's the server defined on my Wired Connection, because that is the "preffered adapter".

I know, I tried to modify the "default adapter" but believe me, in XP SP3 it doesn't work, ever microsoft acknowledges that.

Back to my scenario, my VPN client sends a DNS Request, which is carried though the VPN Tunnel (becasue it;s the preffered route), NATed out my Firewall, that SNAT-ed out my router, and i get the DNS record: mydomain.com --> 172.16.0.10, simply because the request was send through my vpn connection.

So, if i have say a ftp server with the local IP: 192.168.0.10, and defined in the ISP's DNS with 77.77.77.77, then my DNS request would come 172.20.0.10, in which case i run into all sorts of problems (take my word on it, it's doesn't work).

So, any ideas ? If i managed to disable DNS doctoring then it would be OK.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card