Cisco Routers, NAT and DNS...
Marc.Thach at radianz.com
Marc.Thach at radianz.com
Fri Jun 29 16:14:06 UTC 2001
Micheal,
I reckon the 99% "general way" that people use NAT is this: simple NAT or
NAPT for the purpose of putting more IP clients onto the Internet than they
have available registered address space. It is not to run
externally-accessible DNS servers. If we are concerned with the
design/build of DNS systems we need to accept the limitations of NAT and
understand how NAT interacts with the DNS. Why are you NATting your DNS
server at all? As I understand it (but have not tested this), if the DNS
request/response does not hit the NAT module in the IOS, then the DNS ALG
does not get to "mess with" the DNS packet, so why NAT the DNS server at
all?
Step back a bit. The DNS ALG was designed before BIND 9 views were
available. It was designed so that clients external to a NATted network
could access servers on that network, just as well as clients on the
internal network. Where the NAT is static, it could be argued that BIND 9
views are the solution. Where the NAT translations are dynamic, a
DNS-response-triggered NAT entry is the only convenient way of creating the
translation entry. In either the static or dynamic case a DNS response
carrying an address which is valid on the internal side of the NAT but not
on the other side will need to be altered accordingly. The ALG isn't
perfect, it can't be. Maybe it should be defeatable, but in that case I
say again: why NAT the DNS server at all? Maybe it should allow
transparency where the address returned doesn't have a corresponding
translation or NAT pool entry, rather than (according to the docs) dropping
the packet. I guess I know why they did it that way and though it may not
be generally applicable it is a good idea based on the original design
requirement.
BTW the doc that Simon linked to:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm
describes twice-NAT, which is more complex than simple NAT (and IMO best
avoided for general Internet connectivity).
Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent
"Pelletier, Michael"
<Michael.Pelletier at sycamo To: "'Marc.Thach at radianz.com'" <Marc.Thach at radianz.com>, "Pelletier,
renet.com> Michael" <Michael.Pelletier at sycamorenet.com>
Sent by: cc: bind-users at isc.org
bind-users-bounce at isc.org Subject: RE: Cisco Routers, NAT and DNS...
28/06/2001 15:57
This may be great for migration of two companies with the same addresses.
However, this is about 1% of the time a company is using NAT. 99% percent
of
the time it is used the general way. It totally breaks the structure of
using a internal Natted DNS server. It is a shame the Cisco would not allow
people to turn this "feature" off. Because of this I am looking to replace
the Cisco router here...
-----Original Message-----
From: Marc.Thach at radianz.com [mailto:Marc.Thach at radianz.com]
Sent: Thursday, June 28, 2001 6:22 AM
To: Pelletier, Michael
Cc: bind-users at isc.org
Subject: Re: Cisco Routers, NAT and DNS...
Micheal,
why does this need a fix? do you actually get incorrect resolution?
Marc TXK
"Pelletier, Michael"
<Michael.Pelletier at sycamo To: Bind Users
<bind-users at isc.org>
renet.com> cc:
Sent by: Subject: Cisco
Routers, NAT and DNS...
bind-users-bounce at isc.org
22/06/2001 21:16
I have recently discovered that the Cisco routers, when natting, will mess
with a DNS query, coming inside to my DNS server. Has anyone else
experienced this? Does anyone else know of a fix?
Thanks,
More information about the bind-users
mailing list