I have a Cisco 1841 Router, with the IOS version c1841-ipbase-mz.124-3i.bin. I have a static NAT entry in the running config, such as:
ip nat inside source static 10.0.0.1 18.104.22.168
The network layout is attached. Whenever someone in my internal network (that sends a DNS request for mydomain.com at the ISP's DNS server, instead of returning 22.214.171.124, it reads 172.16.0.10, that would be the DMZ IP of my firewall.
I understand DNS Doctoring (Rewriting) is the reason this happens.
Okay, the situation is a little bit more complicated that illustrated in the schematic. The original question was: "How do I disable DNS doctoring", but I guess I owe an explanation, so I don't look like an idiot :)
Ok, of course i have an internal DNS server that resolves just fine. Here is the real problem:
I have a Windows XP VPN client who initiates a VPN connection to the Firewall/VPN Server (Windows XP ISA Server). Of course, the routing table on the clientlooks something like:
0.0.0.0 0.0.0.0 via <> metric 1
0.0.0.0 0.0.0.0 via <> metric 10
In other words, the preffered gateway is the VPN connection, which is how it should be.
However, the first DNS server interogated by my vpn client isn't the internal DNS server defined on the PPP Connection, it's the server defined on my Wired Connection, because that is the "preffered adapter".
I know, I tried to modify the "default adapter" but believe me, in XP SP3 it doesn't work, ever microsoft acknowledges that.
Back to my scenario, my VPN client sends a DNS Request, which is carried though the VPN Tunnel (becasue it;s the preffered route), NATed out my Firewall, that SNAT-ed out my router, and i get the DNS record: mydomain.com --> 172.16.0.10, simply because the request was send through my vpn connection.
So, if i have say a ftp server with the local IP: 192.168.0.10, and defined in the ISP's DNS with 126.96.36.199, then my DNS request would come 172.20.0.10, in which case i run into all sorts of problems (take my word on it, it's doesn't work).
So, any ideas ? If i managed to disable DNS doctoring then it would be OK.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...