[TCLUG] NATed DNS - BIND server

Mon Jan 5 16:24:22 CST 2004

This is a good one.

CBOS bug in the NAT code makes the router replace the DNS answer with
the public IP.

When I ran across this at home, I thought I was going insane.  I could
not understand how my workstation even knew what the public IP was.  I
ended up watching the raw packets leaving my box, and coming into my
network, and saw the difference.

I think there is a fix to CBOS for this - I ended up moving DNS
elsewhere instead of risk "discovering" other problems.  Nate might have
details on if this has been fixed.

On Mon, 2004-01-05 at 15:57, Tom Penney wrote:
> I'm having a strange problem I can't figure out. I have a DNS server
> behind NAT. the server answers correctly when queried from the local
> private network but does not from the internet. From the internet, no
> matter what you ask, it answers with the public IP of the nat device
> (cisco 678). What the hell am I doing wrong?
> 
> Here is some info, I've cut it up to keep it short
> 
> >From The Cisco 678:
> 
>         cbos#show nat
>          
>         NAT is currently enabled
>          
>         Port      Network        Global
>         eth0      Inside
>         wan0-0    Outside      209.98.143.100
>         vip0      Outside      ^^^^^^^^^^^^^^
>         vip1      Outside      STATIC IP OF CISCO 678 HOSTING THE BIND SERVER
>         vip2      Outside
>          
>               Local IP : Port      Global IP : Port      Timer Flags    Proto Interface
>            192.168.1.50:53     209.98.143.100:53           0   0x00041  udp   eth0 wan0-0
>            192.168.1.50:53     209.98.143.100:53           0   0x00041  tcp   eth0 wan0-0
>            ^^^^^^^^^^^^
>            LOCAL IP OF BIND SERVER
>         
> 
> 
> >From inside the private network:
> 
>         [tomp at lotsa test]$ dig @192.168.1.50 myhost.mydomain.com
>                                 ^^^^^^^^^^^^ 
>                                 BIND SERVER 
>         
>         ; <<>> DiG 9.2.1 <<>> @192.168.1.50 r.circussoftware.com
>         ;; global options:  printcmd
>         ;; Got answer:
>         ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20759
>         ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>          
>         ;; QUESTION SECTION:
>         ;myhost.mydomain.com.          IN      A
>          
>         ;; ANSWER SECTION:
>         myhost.mydomain.com. 10800 IN A       209.150.209.2
>                                               ^^^^^^^^^^^^^
>                                               CORRECT! IP OF MYHOST.MYDOMAIN.COM 
> 
> >From the internet:
>         [tomp at ringmaster tomp]$ dig @bindserver.binddomain.com myhost.mydomain.com
>         
>         
>         ; <<>> DiG 9.2.1 <<>> @many.blots.com ringmaster.circussoftware.com
>         ;; global options:  printcmd
>         ;; Got answer:
>         ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27360
>         ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>          
>         ;; QUESTION SECTION:
>         ;myhost.mydomain.com. IN      A
>          
>         ;; ANSWER SECTION:
>         myhost.mydomain.com. 0 IN     A       209.98.143.100
>                                               ^^^^^^^^^^^^^^
>                                               WRONG! THIS IS THE IP OF THE CISCO 678
>         
>         
> It's like the NAT on the Cisco is rewriting the address of the answer.
> Does anyone have a clue how to fix this?
> 
> Thanks!
>          

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list