Am 13.06.2014 12:20, schrieb Reuben Farrelly:
On 13/06/2014 8:09 PM, Nick Edwards wrote:
On 6/11/14, Jost Krieger <Jost.Krieger+dovecot@rub.de> wrote:
On Wed Jun 11 12:03:24 2014, Reindl Harald wrote:
Cisco routers by default mangle DNS traffic, break zone transfers or even put befor all CNAME blocks a $TTL 0 line never appeared on the master until you disable DNS ALG for UDP and TCP
I believe that Cisco equipment will do such things, but I doubt it's the routers. Unless you plug a firewall card in.
I think he means junk like PIX, I've never seen a 7200, 7300, 10K, or any ASR do that.
Actually you're both incorrect - this isn't a PIX/ASA specific thing and it does work that way on IOS routers in certain configurations. A Cisco IOS router (800/1800/1900 etc) running recent code will do this if you have a PAT rule translating port 53 from outside to inside.
This isn't a configuration that is that common, and it is annoying when you run into it, but it's not something you can have happen "by accident" since you have to specifically configure port 53 to be NATted in to observe this behaviour. It's also easy to turn off (TBH I don't know why it's not off by default, but that's a separate matter).
It doesn't impact normal outbound/dynamic NAT which is what most people use.
I haven't tried 1:1 static NATs so can't verify if it works that way in that situation, though
we are running 1:1 static NAT and it is enabled by default in that situation that's what i am talking the whole time, nobody does single port-forwardings in a server environment
and *yes* you can have happen this "by accident" simply by have non Cisco hardware before with the same 1:1 NAT and then get a Cisco device due switch from bundeled DSL lines to glasfiber