Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6762
Views
0
Helpful
4
Replies

NAT DNS inspection

Go to solution
MarekVanco_2
Level 1
Level 1

‎03-06-2012 12:02 PM - edited ‎03-04-2019 03:34 PM

I have a static NAT entry used to translate traffic to our interior DNS server.

Traffic coming from a DNS serverA (nat outside) toward our NATd ip of our DNS serverB needs to inspect and translate the DNS reply.

ServerA -> (outside)csico 3845 ->(inside) Server B

thanks for looking

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Neeraj Arora
Level 3
Level 3
In response to MarekVanco_2

‎03-11-2012 09:59 AM

Hi,

Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping

So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"

in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.

You need to have both these commands:

ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53

ip nat inside source static 192.168.1.100 24.1.1.100

** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet

Hope the above explanation helps

Neeraj

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Neeraj Arora
Level 3
Level 3

‎03-08-2012 01:14 AM

you'd have to provide more details about your requirements for our better understanding

it seems that you might be talking about DNS doctoring feature in routers which works in conjunction with NAT. look it up if that is what you are looking for.

For details about DNS doctoring, you can refer to the following links:

http://blog.instruosolutions.com/2012/03/02/nat-on-a-router-its-usage-in-todays-ever-growing-hosting-environment-over-internet/

Read the "What is IP address "overlapping" within the context of NAT?"

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat

Hope it helps

Neeraj

0 Helpful

Go to solution
MarekVanco_2
Level 1
Level 1
In response to Neeraj Arora

‎03-08-2012 10:09 AM

Thank you for your responce. I've read the second article prior to posting. Here's some more detail.

I understand that when a DNS query is sent across a router that NATs, the payload (query responce) is modified with the NATd IP address assuming a nat statement or overload is configured on the NATing router.

In this case. A user on the "NAT outside" network queries their DNS server within that network, that DNS server then queries a DNS server on the "NAT inside" network. A static NAT exists on the rotuer, but the DNS reply within the payload is not modified to the NATd IP.

Any insight is appreciated

0 Helpful

Go to solution
Neeraj Arora
Level 3
Level 3
In response to MarekVanco_2

‎03-11-2012 09:59 AM

Hi,

Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping

So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"

in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.

You need to have both these commands:

ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53

ip nat inside source static 192.168.1.100 24.1.1.100

** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet

Hope the above explanation helps

Neeraj

0 Helpful

Go to solution
MarekVanco_2
Level 1
Level 1
In response to Neeraj Arora

‎03-20-2012 11:06 AM

thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card