Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT DNS inspection

I have a static NAT entry used to translate traffic to our interior DNS server.

Traffic coming from a DNS serverA (nat outside) toward our NATd ip of our DNS serverB needs to inspect and translate the DNS reply.

ServerA -> (outside)csico 3845 ->(inside) Server B

thanks for looking

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

NAT DNS inspection

Hi,

Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping

So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"

in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.

You need to have both these commands:

ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53

ip nat inside source static 192.168.1.100 24.1.1.100

** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet

Hope the above explanation helps

Neeraj

4 REPLIES

NAT DNS inspection

you'd have to provide more details about your requirements for our better understanding

it seems that you might be talking about DNS doctoring feature in routers which works in conjunction with NAT. look it up if that is what you are looking for.

For details about DNS doctoring, you can refer to the following links:

http://blog.instruosolutions.com/2012/03/02/nat-on-a-router-its-usage-in-todays-ever-growing-hosting-environment-over-internet/

Read the "What is IP address "overlapping" within the context of NAT?"

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat

Hope it helps

Neeraj

New Member

NAT DNS inspection

Thank you for your responce. I've read the second article prior to posting. Here's some more detail.

I understand that when a DNS query is sent across a router that NATs, the payload (query responce) is modified with the NATd IP address assuming a nat statement or overload is configured on the NATing router.

In this case. A user on the "NAT outside" network queries their DNS server within that network, that DNS server then queries a DNS server on the "NAT inside" network. A static NAT exists on the rotuer, but the DNS reply within the payload is not modified to the NATd IP.

Any insight is appreciated

NAT DNS inspection

Hi,

Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping

So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"

in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.

You need to have both these commands:

ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53

ip nat inside source static 192.168.1.100 24.1.1.100

** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet

Hope the above explanation helps

Neeraj

New Member

NAT DNS inspection

thank you

1693
Views
0
Helpful
4
Replies
CreatePlease to create content