Cisco - NAT causes nslookup to return local IP

domain-name-system nat routing cisco

A little background:

I have a server on my LAN that is statically NAT'd to its public IP in my Cisco 871. The rest of the same local subnet is statically NAT'd to a different Public IP, in order to separate traffic. The authoritative public nameserver for my domain has all relevant and correct records for the server. Also, the information fully propagated to the rest of the world weeks ago.

The issue:

When performing nslookup of my domain from any machine on the same physical LAN as the server, regardless of subnet (I have two subnets), I get back the local IP of the server instead of its public IP. nslookup returns correct (public) IP when performed from outside of this network.

What I know so far:

I know the problem instamagically goes away once I remove the static NAT for the server (see bold line in config below). I am not using CBAC for DNS traffic or anything of that nature. My colleagues and I are seriously baffled.

Here are the relevant snippets (addresses deliberately altered) from my config:

  • ip nat pool office 65.x.x.162 65.x.x.162 netmask 255.255.255.240
  • ip nat pool guests 65.x.x.164 65.x.x.164 netmask 255.255.255.240
  • ip nat inside source list 1 pool office overload
  • ip nat inside source list 2 pool guests overload
  • ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 41234
  • ip nat inside source static tcp 192.168.1.69 22 interface FastEthernet4 44321
  • ip nat inside source static tcp 192.168.1.12 3389 interface FastEthernet4 51234
  • ip nat inside source static 192.168.1.9 65.x.x.163
  • !
  • access-list 1 permit 192.168.1.0 0.0.0.255
  • access-list 1 deny any
  • access-list 2 permit 192.168.100.0 0.0.0.255
  • access-list 2 deny any

Can someone please help me understand why this is occurring?


Solution 1:

It's called "DNS Doctoring" - it's trying to help you out by giving the local client the local address instead of the NAT address:

Link with NAT FAQs

It's doing that because the IOS firewall code (much like PIX or ASA) inspects DNS by default, so to disable it issue a "no inspect dns". Presumably the IOS Firewall behavior kicks in when you start using the static NATs.

Link with PIX/ASA details on DNS Doctoring

Solution 2:

to disable DNS Doctoring try the following command:

no ip nat service alg udp dns

Related

How to find available versions for a bower dependency
How can I change Sourcetree theme?
Which version of Perl should I use on Windows? [closed]
Is there a method that works like start fragment for result?
The system ui isn't responding in android emulator (Flutter)
How do you deal with configuration files in source control?
How can I change the textual representation displayed for a type in Swift?
Search for one value in any column of any table inside a database
Linking libstdc++ statically: any gotchas?
Restore Eclipse subversion project connection
Can I access the App Store from within the iOS Simulator?
C#: Difference between List<T> and Collection<T> (CA1002, Do not expose generic lists) [duplicate]