Network address translation of DNS responses

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Cisco IOS performs numerous Application Level Gateway (ALG) translations, including translation of IP addresses in DNS reply packets. The DNS ALG translation is performed only for the static NAT translations configured with ip nat inside source static and ip nat outside source static commands without the route-map option.

NAT DNS translation does not work for addresses specified in a NAT pool if the NAT translation using the pool specifies the overload option, overloaded interface addresses, static PAT mappings or static NAT mappings with a route-map option.

Contents

Sample network

All the examples in this article use a simple network with an inside and an outside server displayed in Figure 1.

Figure 1: Simple network using NAT

The NAT router has the following configuration:

version 12.4
no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname NAT
!
!
interface FastEthernet0/0
 description Outside
 ip address 192.168.0.1 255.255.255.0
 ip nat outside
!
interface FastEthernet0/1
 description Inside
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
!
ip nat log translations syslog
ip nat inside source list Inside interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.5 192.168.0.10 extendable
!
ip access-list standard Inside
 permit 10.0.0.0 0.0.0.255
!
end

DNS requests to inside DNS server

If an outside client makes a DNS request to an inside DNS server, the router translates local inside IP addresses in the response to corresponding global inside IP addresses in the translated response (Figure 2).

Figure 2: DNS query to inside server

You can observe the details of the translation in the next two screenshots from Wireshark. The first one (Figure 3) was taken on the Inside LAN; the IP address in the DNS response is still the original inside local address (10.0.0.5). The second screenshot (Figure 4) was taken on the Outside LAN; the IP address in the DNS response has been translated to the inside global address (192.168.0.2) corresponding to the local address 10.0.0.5.

The router also changes the TTL field in the DNS response. The original DNS response has TTL set to 10 seconds, the TTL in the translated DNS response is set to zero, preventing any outside DNS servers from caching the response. This behavior might significantly increase the load on the inside DNS server.
Figure 3: Original DNS response
Figure 4: Translated DNS response

The detailed translations of DNS requests can also be monitored on the router with the debug ip nat detailed command. The DNS query from an outside client to the inside DNS server resulted in the following printout:

NAT: o: udp (192.168.0.2, 62586) -> (192.168.0.10, 53) [0]
NAT (UDP-DNS): Before Translation
NAT: Translation of UDP DNS src 192.168.0.2, dst 192.168.0.10
NAT: Dns type of Query
   : dns len=21, id=11, aa=0, tc=0, rd=1, ra=0
   : opcode=0, rcode=0, qdcount=1
   : ancount=0, nscount=0, arcount=0
NAT (UDP-DNS): After Translation
NAT: Translation of UDP DNS src 192.168.0.2, dst 192.168.0.10
NAT: Dns type of Query
   : dns len=21, id=11, aa=0, tc=0, rd=1, ra=0
   : opcode=0, rcode=0, qdcount=1
   : ancount=0, nscount=0, arcount=0

The DNS response sent by the inside DNS server produced this printout:

NAT: i: udp (10.0.0.5, 53) -> (192.168.0.2, 62586) [11]
NAT (UDP-DNS): Before Translation
NAT: Translation of UDP DNS src 10.0.0.5, dst 192.168.0.2
NAT: Dns type of Response
   : dns len=37, id=11, aa=0, tc=0, rd=1, ra=1
   : opcode=0, rcode=0, qdcount=1
   : ancount=1, nscount=0, arcount=0
     query name is www.example.com, qtype=1, class=1
Answer section:
   Name='www.example.com'
   RR type=1, class=1, ttl=10, data length=4
     IP=10.0.0.5
Authority section:
Additional record section:
NAT: DNS resource record 10.0.0.5 -> 192.168.0.10
NAT (UDP-DNS): After Translation
NAT: Translation of UDP DNS src 10.0.0.5, dst 192.168.0.2
NAT: Dns type of Response
   : dns len=37, id=11, aa=0, tc=0, rd=1, ra=1
   : opcode=0, rcode=0, qdcount=1
   : ancount=1, nscount=0, arcount=0
     query name is www.example.com, qtype=1, class=1
Answer section:
   Name='www.example.com'
   RR type=1, class=1, ttl=0, data length=4
     IP=192.168.0.10
Authority section:
Additional record section:

Usage scenarios

The translation of inside-to-outside DNS responses can be used in scenarios where the same inside (or DMZ) DNS serves internal clients and external visitors. In most cases, the same effects can be achieved easier with external hosted DNS services (most DNS registrars offer hosted DNS services); you might need this functionality only in NAT-based multihoming.

Do not forget that the NAT translation of DNS replies works only when the inside server uses NAT (not PAT) translation. Static NAT translations or dynamic translations using pools without the overload option can be used.

DNS requests to outside DNS server

When a DNS reply traverses outside-to-inside boundary, the router performing NAT translates all statically mapped inside global addresses into inside local addresses (see Figure 5). The translation is performed only if you use static unconditional NAT translation for the inside server (identical to the inside-to-outside scenario).

Figure 5: DNS query to outside server

Usage scenarios

Translation of outside-to-inside DNS responses allow you to design networks where the outside DNS server is used to resolve the IP address of an inside server. For example, the www.example.com in the Figure 5 could be used as the company’s public web server (hopefully in a more secure environment, not connected to the same inside LAN as the workstations) and the inside clients could access it using the same public DNS server they use to access the Internet.

This technique works only if the publicly-accessible inside server uses static NAT translation with no extra options.
Personal tools

CT3

Main menu