I am using a Cisco router for my basic ISP connection with a NAT/PAT configuration that translates all client connections to the IPv4 address of the outside interface of the router. Furthermore, I am translating all my static public IPv4 addresses to private ones through static NAT entries. I basically thought, that only the IPv4 addresses in the mere IPv4 packet header would be translated. However, this was not true since I immediately discovered that public DNS addresses are translated to my private IPv4 addresses, too. This was a bit confusing since I have not explicitly configured an application layer gateway (ALG) on that router.
“Google is my friend” and helped me one more time to find out the appropriate solution: The “no ip nat service alg udp dns” keyword to disable the DNS rewrite. (The synonym from Cisco for DNS rewrite is: DNS doctoring.) Here comes a basic example:
I tested the following example on a Cisco router type 1803 with IOS version 12.4(24)T8.
NAT on the Cisco Router
I am using the router for two NAT solutions:
- Translate all outgoing connections to the interface IPv4 address of the router (source NAT with port translation PAT).
- Translate some incoming connections on public IPv4 addresses to static private IPv4 addresses (destination NAT). These NAT entries are also used for outgoing connections from these specific private IPv4 addresses.
Now, I discovered the situation in which a normal IPv4 client (1. NAT rule) made a DNS request to one of my DNS name for external IPv4 addresses (2. NAT rule) and got the answer with the internal private (!) IPv4 address instead of the external public IPv4 address. This is useful in many situations in which the internal clients can/should connect to the internal servers directly. However, I had the case in which I wanted all internal clients to connect to a DMZ server via the external path, i.e., through the appropriate security zones.
no ip nat service alg udp dns
The solution was to disable the per-default-enabled DNS application layer gateway (ALG) on the Cisco router with the following command:
1 |
no ip nat service alg udp dns |
The following two listings from a Linux PC depict the behaviour before and after this command. While in the first “host” command answer the private IPv4 address is shown (line 7), the second one displays the external public IPv4 address for that name (line 16). Of course, the IPv6 addresses remain unchanged and are global unicast addresses anyway:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
weberjoh@jw-vm01:~$ host planes.webernetz.net 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: planes.webernetz.net has address 192.168.110.12 planes.webernetz.net has IPv6 address 2003:51:6012:110::12 weberjoh@jw-vm01:~$ host planes.webernetz.net 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: planes.webernetz.net has address 80.154.108.236 planes.webernetz.net has IPv6 address 2003:51:6012:110::12 |
Another Option for Static NAT Entries
Note: For a single static NAT entry, the “no-payload” keyword is an option to disable any ALGs on the router, such as:
1 |
ip nat inside source static 192.168.110.12 80.154.108.236 no-payload |
However, this ONLY disables the ALG for requests coming from this specific private IPv4 address. The “no-payload” keyword does not work for PAT configurations such as “ip nat inside source list 2 interface FastEthernet0 overload”.
One thought on “Cisco Router: Disable DNS Rewrite ALG for Static NATs”