Subject tag [Dovecot] is gone

Reindl Harald
Wed Jun 11 10:46:07 UTC 2014

Am 11.06.2014 12:21, schrieb Jost Krieger:
> On Wed Jun 11 12:03:24 2014, Reindl Harald wrote:
>> Cisco routers by default mangle DNS traffic, break zone transfers
>> or even put befor all CNAME blocks a $TTL 0 line never appeared
>> on the master until you disable DNS ALG for UDP and TCP
> I believe that Cisco equipment will do such things, but I doubt it's the
> routers. Unless you plug a firewall card in

off-topic but as response "i thought they know better"

any bigger Cisco router i saw the last 8 years and even some smaller
ones without rack-mount did this as default if NAT is enabled until
you force the  two commands below

the reason likely is that if you have a public DNS server you are asking
from the LAN responding with a public address the Cisco translates the
repsonse to the NAT-mapping instead just allow the public IP from the LAN,
but that's no valid reason to mangle outgoing DNS traffic

additionally that may become "funny" if in the future DNSSEC is used

"no ip nat service alg udp dns"
"no ip nat service alg tcp dns"

the UDP ALG leads to silently supress answers of PTR's
with public IP's to the WAN, larger UDP responses (EDNS)
times out as well as zone-transfers

the TCP ALG leads to a AFXR zone transfer looks like below
while the master has only one TTL line with 86400 on top of
the zone file, in that case only CNAMES are mangelded and
after type the commands above all is fine             86400   IN      A
**          0       IN      CNAME   **
**          0       IN      CNAME   **
................................  86400   IN      A
**          0       IN      CNAME   **

