Cisco - NAT causes nslookup to return local IP
A little background:
I have a server on my LAN that is statically NAT'd to its public IP in my Cisco 871. The rest of the same local subnet is statically NAT'd to a different Public IP, in order to separate traffic. The authoritative public nameserver for my domain has all relevant and correct records for the server. Also, the information fully propagated to the rest of the world weeks ago.
The issue:
When performing nslookup of my domain from any machine on the same physical LAN as the server, regardless of subnet (I have two subnets), I get back the local IP of the server instead of its public IP. nslookup returns correct (public) IP when performed from outside of this network.
What I know so far:
I know the problem instamagically goes away once I remove the static NAT for the server (see bold line in config below). I am not using CBAC for DNS traffic or anything of that nature. My colleagues and I are seriously baffled.
Here are the relevant snippets (addresses deliberately altered) from my config:
- ip nat pool office 65.x.x.162 65.x.x.162 netmask 255.255.255.240
- ip nat pool guests 65.x.x.164 65.x.x.164 netmask 255.255.255.240
- ip nat inside source list 1 pool office overload
- ip nat inside source list 2 pool guests overload
- ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 41234
- ip nat inside source static tcp 192.168.1.69 22 interface FastEthernet4 44321
- ip nat inside source static tcp 192.168.1.12 3389 interface FastEthernet4 51234
- ip nat inside source static 192.168.1.9 65.x.x.163
- !
- access-list 1 permit 192.168.1.0 0.0.0.255
- access-list 1 deny any
- access-list 2 permit 192.168.100.0 0.0.0.255
- access-list 2 deny any
Can someone please help me understand why this is occurring?
Solution 1:
It's called "DNS Doctoring" - it's trying to help you out by giving the local client the local address instead of the NAT address:
Link with NAT FAQs
It's doing that because the IOS firewall code (much like PIX or ASA) inspects DNS by default, so to disable it issue a "no inspect dns". Presumably the IOS Firewall behavior kicks in when you start using the static NATs.
Link with PIX/ASA details on DNS Doctoring
Solution 2:
to disable DNS Doctoring try the following command:
no ip nat service alg udp dns