Cisco NAT modifying DNS queries?

[Gantry]

Having a most interesting problem using NAT on a Cisco 2600 series router with a DNS server behind it. I may be crazy, but I think the Cisco is modifying the DNS queries the server is sending back! Here's a quick breakdown

Windows 2000 server - 192.168.1.100
Cisco 2620 Router - 208.xx.xx.33

I believed I used the "ip nat inside source static" command on the router to forward all external 208.xx.xx.36 requests to 192.168.1.100 internal address. This works flawlessly for smtp & www traffic. With DNS implemented, something completely goofy happens. All DNS "A" requests that point to the external 208.xx.xx.36 IP end up returning the router's 208.xx.xx.33 IP!!! Here is my outside test:

----

[gantry@xxx gantry]$ nslookup
> server 208.xx.xx.36
Default server: 208.xx.xx.36
Address: 208.xx.xx.36#53

> mail.xxxx.com
Server: 208.xx.xx.36
Address: 208.xx.xx.36#53

Name: mail.xxxx.com
Address: 208.xx.xx.33

--

Even stranger is when I try to query any address that ins't ponting to 208.xx.xx.36, the name server will simply timeout! So in recap - external queries to 208.xx.xx.36 (which is the NAT'ted IP of the server) will return the router's .33 address & external queries to any other IP will time out. Contrast to running internally:

--

C:\WINNT> nslookup
Address: 192.168.1.100

> mail.xxxx.com

Name: mail.xxxx.com
Address: 208.xx.xx.36

--

Anybody know what is going on? The only thing I can think of is that I'm having a problem with udp....

 

[spidey07]

yes, it will modify NAT queries. This is very usefull when joining two networks that have the same IP networks.

I'll see if I can find a way to disable it.

http://www.cisco.com/warp/public/556/nat-cisco.shtml

http://www.cisco.com/warp/public/556/13.html

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/iosnt_qp.htm

 

[Gantry]

<<< yes, it will modify NAT queries >>>

You did mean DNS queries, correct? Also, a portscan does show I do not have any udp forwarded. Pretty sure you don't need port 53 udp for DNS if you are using TCP, but just checking...

 

[spidey07]

yeah, I meant DNS queries.

DNS uses UDP for query/answer. TCP for zone transfers between servers.

 

[Gantry]

If you can't beat em, join em...

After reading how overlapping was used when using DNS & NAT, I decided to change my DNS server to point to the Internal IP instead of the external IP. After that, the Cisco NAT correctly modified the DNS query to point to the 208.xx.xx.36 address. This will work and makes internal queries a bit more sane...

Well, if DNS uses udp for queries, then it must be working regardless of what my portscan says...

Per usual Spidey, thanks for the help...

 

[Gantry]

One lingering issue is that all external DNS queries to outside IPs will timeout. This isn't an issue now, but if they did need to point an "A" record to an IP outside their network, the router seems to block it. This seems to contradict what the IOS NAT FAQ says. It should only translate DNS queries for local "A" addresses. Probably means I have something misconfigured, but I'll cross that bridge later...