03-06-2012 12:02 PM - edited 03-04-2019 03:34 PM
I have a static NAT entry used to translate traffic to our interior DNS server.
Traffic coming from a DNS serverA (nat outside) toward our NATd ip of our DNS serverB needs to inspect and translate the DNS reply.
ServerA -> (outside)csico 3845 ->(inside) Server B
thanks for looking
Solved! Go to Solution.
03-11-2012 09:59 AM
Hi,
Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping
So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"
in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.
You need to have both these commands:
ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53
ip nat inside source static 192.168.1.100 24.1.1.100
** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet
Hope the above explanation helps
Neeraj
03-08-2012 01:14 AM
you'd have to provide more details about your requirements for our better understanding
it seems that you might be talking about DNS doctoring feature in routers which works in conjunction with NAT. look it up if that is what you are looking for.
For details about DNS doctoring, you can refer to the following links:
Read the "What is IP address "overlapping" within the context of NAT?"
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat
Hope it helps
Neeraj
03-08-2012 10:09 AM
Thank you for your responce. I've read the second article prior to posting. Here's some more detail.
I understand that when a DNS query is sent across a router that NATs, the payload (query responce) is modified with the NATd IP address assuming a nat statement or overload is configured on the NATing router.
In this case. A user on the "NAT outside" network queries their DNS server within that network, that DNS server then queries a DNS server on the "NAT inside" network. A static NAT exists on the rotuer, but the DNS reply within the payload is not modified to the NATd IP.
Any insight is appreciated
03-11-2012 09:59 AM
Hi,
Payload inside the DNS response is only modified if there exists a one to one Static NAT (not port translation), not with overload command. This needs to be there along with the DNS server static NAT mapping
So for an example, if your internal DNS server B (192.168.1.150) is hosted on the internet using the ip address 24.1.1.2 on UDP port 53, and it has an Mx/A record of "www.dnsexample.com" as 192.168.1.100 (private ip address) and this response is sent to an external DNS server which queried for the URL in the first place, then this private ip will not be translated to the public ip UNLESS you have a static NAT configured for this ip for specifically this URL hosting erver eg: "ip nat inside source static 192.168.1.100 24.1.1.100"
in short u need to have a separate NAT entry for the DNS Payload ip otherwise normal PAT or port translation will not do anythiung to the payload.
You need to have both these commands:
ip nat inside source static udp 192.168.1.150 53 24.1.1.2 53
ip nat inside source static 192.168.1.100 24.1.1.100
** Now in another scenario which I can think of, if your DNS server B has an Mx/A record of "www.dnsexample.com" as a public ip 24.1.1.100, then I don't see any reason why you want this to be translated to a private ip as it would render this site unreachable from internet
Hope the above explanation helps
Neeraj
03-20-2012 11:06 AM
thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: