On 13/06/2014 8:09 PM, Nick Edwards wrote:
On 6/11/14, Jost Krieger Jost.Krieger+dovecot@rub.de wrote:
On Wed Jun 11 12:03:24 2014, Reindl Harald wrote:
Cisco routers by default mangle DNS traffic, break zone transfers or even put befor all CNAME blocks a $TTL 0 line never appeared on the master until you disable DNS ALG for UDP and TCP
I believe that Cisco equipment will do such things, but I doubt it's the routers. Unless you plug a firewall card in.
I think he means junk like PIX, I've never seen a 7200, 7300, 10K, or any ASR do that.
Actually you're both incorrect - this isn't a PIX/ASA specific thing and it does work that way on IOS routers in certain configurations. A Cisco IOS router (800/1800/1900 etc) running recent code will do this if you have a PAT rule translating port 53 from outside to inside.
This isn't a configuration that is that common, and it is annoying when you run into it, but it's not something you can have happen "by accident" since you have to specifically configure port 53 to be NATted in to observe this behaviour. It's also easy to turn off (TBH I don't know why it's not off by default, but that's a separate matter).
It doesn't impact normal outbound/dynamic NAT which is what most people use.
I haven't tried 1:1 static NATs so can't verify if it works that way in that situation, though.
Reuben