Cisco Routers, NAT and DNS... going off topic a bit.

[Pelletier, Michael]

-----Original Message-----
From: Marc.Thach at radianz.com [mailto:Marc.Thach at radianz.com]
Sent: Monday, July 02, 2001 11:28 AM
To: Pelletier, Michael
Cc: bind-users at isc.org
Subject: RE: Cisco Routers, NAT and DNS... going off topic a bit.



Micheal,
I don't want to get into a big personal argument in defence of Cisco,
particularly since they haven't bought me a beer in months :-)   I grant
you that maybe Cisco should have made the ALG defeatable for you and those
with the same problem that you have, whatever that is, but I think you're
being pretty unreasonable.

Unreasonable??? If being unreasonable is requesting a vendor to supply a
solution that does not break a very simple architechure than yes, I am being
unreasonable. I request from all my vendors a quality solution in all
respects.

> Well, First NAT should do translating of IP address from private to public
and public to private. This is what NAT was created for.

This is like saying that IP was designed to deliver packets, true at a very
naive level but not very illuminating, given that the overall purpose was
to enable government communications to function even after a nuclear strike
on the US. About NAT, RFC1631 says somewhere near the start: "The two most
compelling problems facing the IP Internet are IP address depletion and
scaling in routing", not "let's all translate IP headers for fun and
confusion".  If this is the basis of your argument, then any further
conclusions built on this will be flawed.

What??? Where does it say in the RFC, that NAT will not only translate
public to private and private to pulic addresses for the purposes of
extending IP address space and totally screw up your NATTED DNS in the
process. I don't recall that anywhere in the RFC. In fact this is Cisco's
"add on feature". 

> It was not created
> to translate application level DNS queries. And if Cisco decided to add
> this, then, at least add it so it works. It should not F'up DNS queries.
> This is not within the realm of NAT or PAT. This is in affect, a Cisco
> "feature" that totally Screws up the ability to NAT a DNS server.

To be of use to solve a wide set of problems, ALGs are necessary.  Do you
object to the ALG that "F'up"s the ftp control channel?  DNS translation
isn't the goal, but it is an integral part of the solution.

If an ALG is added then it should work. The DNS ALG just does not work.
Cisco has admintted this to me and yes, I have an open ticket.

> Cisco
> should step up to the plate an allow their customers to turn off this
> useless "feature".

I guess they didn't foresee your requirement.

I guest they did not see their customers requirement. You know the
requirement that says something about the code working correctly....

> By the way, views will not work either. I can give you
> more of a technical reason where specifically it is broken if you wish.

I didn't suggest that views would work for you, merely that in the absense
of views, with one DNS serving clients inside and outside the NAT, DNS
translation is necessary.  I am certainly curious as to the nature of your
problem.

> Why NAT my DNS servers? Well, why not?

Why not? because in your case it doesn't work! Isn't that a good enough
reason?  NAT is a necessary evil, only use where necessary.  It breaks the
end-to-end paradigm on which IP was founded.  "There are limitations to
using the translation method." - RFC 3022.

Well, it would work if I were using another vendor's router...Is that good
enough?

> Why should Cisco limit what I can accomplish with other vendor's routers
that don't have this stupid
> "feature". They added code that beaks how 99% of people use NAT for a very
rare and temporary case.

"Traditional NAT" as described in RFC3022 does not require the ALG, and the
Cisco ALG does not operate in this case.  If you find that it does, then
you have a different version of IOS to me, and you should raise a bug
report to Cisco.  Equally, if the ALG is not working as described in some
other manner, then there may be a bug and I for one would be very
interested to know about it.


There is a bug, an I have been working with Cisco on it. They should provide
a more "Traditional NAT"...

> I am surprised Cisco would do something so irresponsible. I am a Cisco
certified CCNP. I am seriously reconsidering
> Cisco as a whole...

"DNS/ALG -  a special case of the NAT/ALG, where an ALG for the DNS service
interacts with the NAT component to modify the contents of a DNS response."
- RFC2993
"Address translation is application independent and often accompanied by
application specific gateways (ALGs) to perform payload monitoring and
alterations." - RFC3022.
etc, etc, there are loads more references.  Cisco are in good company with
this feature.

I beg to differ. If you want I will send you the sniffer traces...IT DOES
NOT WORK. Do you own stock in the company? Stop wasting my time.


Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent