Am 11.06.2014 12:21, schrieb Jost Krieger:
On Wed Jun 11 12:03:24 2014, Reindl Harald wrote:
Cisco routers by default mangle DNS traffic, break zone transfers or even put befor all CNAME blocks a $TTL 0 line never appeared on the master until you disable DNS ALG for UDP and TCP
I believe that Cisco equipment will do such things, but I doubt it's the routers. Unless you plug a firewall card in
off-topic but as response "i thought they know better"
any bigger Cisco router i saw the last 8 years and even some smaller ones without rack-mount did this as default if NAT is enabled until you force the two commands below
the reason likely is that if you have a public DNS server you are asking from the LAN responding with a public address the Cisco translates the repsonse to the NAT-mapping instead just allow the public IP from the LAN, but that's no valid reason to mangle outgoing DNS traffic
additionally that may become "funny" if in the future DNSSEC is used
"no ip nat service alg udp dns" "no ip nat service alg tcp dns"
the UDP ALG leads to silently supress answers of PTR's with public IP's to the WAN, larger UDP responses (EDNS) times out as well as zone-transfers
the TCP ALG leads to a AFXR zone transfer looks like below while the master has only one TTL line with 86400 on top of the zone file, in that case only CNAMES are mangelded and after type the commands above all is fine
rhsoft.net. 86400 IN A 91.118.73.4 **.rhsoft.net. 0 IN CNAME **.rhsoft.net. **.rhsoft.net. 0 IN CNAME **.rhsoft.net. ................................ testserver.rhsoft.net. 86400 IN A 84.113.92.77 **.rhsoft.net. 0 IN CNAME **.rhsoft.net.