Personal tools
You are here: Home Networking Cisco IOS A workaround for NAT rewriting DNS packets
 

A workaround for NAT rewriting DNS packets

When the IP adddress of the host (on the outside) making a DNS query is in the answer, the Cisco NAT fails to successfully forward the DNS reply.

This problem came to light when a secondary DNS host couldn't perform a SOA query or a zone transfer from our primary DNS server. The client fails to see any reply packets, even though they make it to the Cisco IOS router. The DNS server receives an ICMP unreachable (when the Cisco IOS router drops the packet).

 The authoritative DNS server is behind a Cisco IOS NAT (i.e on the inside).

 Making queries that fail (i.e. have no payload, and no addresses that could be NATed) work as expected, with an immediate failure.

Assumption: The Cisco NAT fails to rewrite the 'Additional record section' when one of the IP addresses matches the IP address of the host making the DNS query.

Workaround

Disable the NAT from looking into the DNS packets with the 'no-payload' option:

ip nat inside source static tcp 192.168.0.17 53 202.154.159.217 53 no-payload 
ip nat inside source static udp 192.168.0.17 53 202.154.159.217 53 no-payload

 Note: The 'no-payload' option is only available when an inside global address is specified. If an interface is provided for the global address, then this option (and others) is not available. Thus this workaround requires a static address on the outside interface.

 

IOS Versions

This issue has been observed with the following IOS versions:

  • c870-advipservicesk9-mz.124-11.XJ4
  • c837-k9o3sy6-mz.124-19.bin

 

Links

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html

Appendices

 Log with NAT debug

NAT*: s=192.168.142.1->203.97.8.218, d=202.154.159.217 [31071]
NAT: i: tcp (192.168.142.4, 53) -> (202.154.159.217, 54833) [30340]
NAT (TCP-DNS): Before Translation
NAT: Translation of TCP DNS src 192.168.142.4, dst 202.154.159.217
NAT: Dns type of Response
   : dns len=253, id=0, aa=1, tc=0, rd=0, ra=0
   : opcode=0, rcode=0, qdcount=1
   : ancount=1, nscount=5, arcount=5
     query name is upx.com.au, qtype=6, class=1
Answer section:
   Name='upx.com.au'
   RR type=6, class=1, ttl=2560, data length=52
     MNAME='a.ns.fifthweb.net'
     RNAME='hostmaster.upx.com.au'
     SERIAL=1209308362l, REFRESH=16384l, RETRY=2048, EXPIRE=1048576l, MINIMUM=2560l
Authority section:
   Name='upx.com.au'
   RR type=2, class=1, ttl=14400, data length=2
     NS='a.ns.fifthweb.net'
   Name='upx.com.au'
   RR type=2, class=1, ttl=14400, data length=7
     NS='a.ns.upx.com.au'
   Name='upx.com.au'
   RR type=2, class=1, ttl=14400, data length=4
     NS='b.ns.upx.com.au'
   Name='upx.com.au'
   RR type=2, class=1, ttl=14400, data length=4
     NS='c.ns.upx.com.au'
   Name='upx.com.au'
   RR type=2, class=1, ttl=14400, data length=4
     NS='d.ns.upx.com.au'
Additional record section:
   Name='a.ns.fifthweb.net'
   RR type=1, class=1, ttl=7200, data length=4
     IP=203.97.8.218
   Name='a.ns.upx.com.au'
   RR type=1, class=1, ttl=14400, data length=4
     IP=203.97.8.218
   Name='b.ns.upx.com.au'
   RR type=1, class=1, ttl=14400, data length=4
     IP=150.101.116.192
   Name='c.ns.upx.com.au'
   RR type=1, class=1, ttl=14400, data length=4
     IP=202.154.159.217
   Name='d.ns.upx.com.au'
   RR type=1, class=1, ttl=14400, data length=4
     IP=72.249.18.30
 mapping pointer available mapping:0
NAT: translation failed (A), dropping packet s=192.168.142.4 d=202.154.159.217 [30340]

 Log extract showing the NAT failing

.Apr 29 17:41:32: NAT: translation failed (A), dropping packet s=192.168.142.4 d=150.101.116.192 [4273]
.Apr 29 17:41:32: IP: s=192.168.142.4 (Vlan1), d=150.101.116.192 (FastEthernet4), len 189, dispose ip.noroute
.Apr 29 17:41:32:     UDP src=53, dst=32799

Show ip packet log, with 3 attempts by dig

Dig has three unsuccessful attempts to perform a DNS query. Each time the reply packet is not forwarded.

Apr 28 23:38:14: IP: tableid=0, s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), routed via FIB
Apr 28 23:38:14: IP: s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), g=192.168.2.2, len 64, forward
Apr 28 23:38:14:     UDP src=4088, dst=53
Apr 28 23:38:14: IP: tableid=0, s=192.168.142.4 (Vlan1), d=72.249.18.30 (FastEthernet4), routed via FIB

Apr 28 23:38:19: IP: tableid=0, s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), routed via FIB
Apr 28 23:38:19: IP: s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), g=192.168.2.2, len 64, forward
Apr 28 23:38:19:     UDP src=4088, dst=53
Apr 28 23:38:19: IP: tableid=0, s=192.168.142.4 (Vlan1), d=72.249.18.30 (FastEthernet4), routed via FIB

Apr 28 23:38:24: IP: tableid=0, s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), routed via FIB
Apr 28 23:38:24: IP: s=72.249.18.30 (FastEthernet4), d=192.168.142.4 (Vlan1), g=192.168.2.2, len 64, forward
Apr 28 23:38:24:     UDP src=4088, dst=53
Apr 28 23:38:24: IP: tableid=0, s=192.168.142.4 (Vlan1), d=72.249.18.30 (FastEthernet4), routed via FIB

 

Successful DNS query, with show ip packet

 

Apr 28 23:53:59: IP: tableid=0, s=59.167.246.75 (FastEthernet4), d=192.168.142.4 (Vlan1), routed via FIB
Apr 28 23:53:59: IP: s=59.167.246.75 (FastEthernet4), d=192.168.142.4 (Vlan1), g=192.168.2.2, len 58, forward
Apr 28 23:53:59:     UDP src=34609, dst=53
Apr 28 23:53:59: IP: tableid=0, s=192.168.142.4 (Vlan1), d=59.167.246.75 (FastEthernet4), routed via FIB
Apr 28 23:53:59: IP: s=203.97.8.218 (Vlan1), d=59.167.246.75 (FastEthernet4), g=203.97.8.217, len 189, forward
Apr 28 23:53:59:     UDP src=53, dst=34609
Related content
Document Actions