Network address translation of DNS responses

[LEFT][CODE]http://wiki.nil.com/Network_address_translation_of_DNS_responses[/CODE]


[B]By Ivan Pepelnjak[/B]
Cisco IOS performs numerous Application Level Gateway (ALG) translations, including translation of IP addresses in DNS reply packets. The DNS ALG translation is performed only for the static NAT translations configured with [B]ip nat inside source static[/B] and [B]ip nat outside source static[/B] commands without the [B]route-map[/B] option.
NAT DNS translation does not work for addresses specified in a NAT pool if the NAT translation using the pool specifies the [B]overload[/B] option, overloaded interface addresses, static PAT mappings or static NAT mappings with a [B]route-map[/B] option.
[B]Contents[/B]



[LIST][*]1 Sample network[*]2 DNS requests to inside DNS server
[LIST][*]2.1 Usage scenarios[/LIST][*]3 DNS requests to outside DNS server
[LIST][*]3.1 Usage scenarios[/LIST][/LIST]
[B] Sample network [/B]

All the examples in this article use a simple network with an inside and an outside server displayed in Figure 1.
[URL="http://wiki.nil.com/Image:DNSNAT_Diagram.png"][IMG]http://wiki.nil.com/wk/images/thumb/2/2c/DNSNAT_Diagram.png/550px-DNSNAT_Diagram.png[/IMG][/URL] [URL="http://wiki.nil.com/Image:DNSNAT_Diagram.png"][IMG]http://wiki.nil.com/wk/skins//common/images/magnify-clip.png[/IMG][/URL]
Figure 1: Simple network using NAT


The NAT router has the following configuration:
version 12.4
no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname NAT
!
!
interface FastEthernet0/0
description Outside
ip address 192.168.0.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
description Inside
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
ip nat log translations syslog
ip nat inside source list Inside interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.5 192.168.0.10 extendable
!
ip access-list standard Inside
permit 10.0.0.0 0.0.0.255
!
end
[B] DNS requests to inside DNS server [/B]

If an outside client makes a DNS request to an inside DNS server, the router translates local inside IP addresses in the response to corresponding global inside IP addresses in the translated response (Figure 2).
[URL="http://wiki.nil.com/Image:DNSNAT_QueryToInside.png"][IMG]http://wiki.nil.com/wk/images/thumb/7/72/DNSNAT_QueryToInside.png/550px-DNSNAT_QueryToInside.png[/IMG][/URL] [URL="http://wiki.nil.com/Image:DNSNAT_QueryToInside.png"][IMG]http://wiki.nil.com/wk/skins//common/images/magnify-clip.png[/IMG][/URL]
Figure 2: DNS query to inside server


You can observe the details of the translation in the next two screenshots from Wireshark. The first one (Figure 3) was taken on the Inside LAN; the IP address in the DNS response is still the original inside local address (10.0.0.5). The second screenshot (Figure 4) was taken on the Outside LAN; the IP address in the DNS response has been translated to the inside global address (192.168.0.2) corresponding to the local address 10.0.0.5.
The router also changes the TTL field in the DNS response. The original DNS response has TTL set to 10 seconds, the TTL in the translated DNS response is set to zero, preventing any outside DNS servers from caching the response. This behavior might significantly increase the load on the inside DNS server.
[URL="http://wiki.nil.com/Image:DNSInside_Response.png"][IMG]http://wiki.nil.com/wk/images/6/63/DNSInside_Response.png[/IMG][/URL] Figure 3: Original DNS response


[URL="http://wiki.nil.com/Image:DNSOutside_Response.png"][IMG]http://wiki.nil.com/wk/images/8/8e/DNSOutside_Response.png[/IMG][/URL] Figure 4: Translated DNS response


The detailed translations of DNS requests can also be monitored on the router with the [B]debug ip nat detailed[/B] command. The DNS query from an outside client to the inside DNS server resulted in the following printout:
NAT: o: udp (192.168.0.2, 62586) -> (192.168.0.10, 53) [0]
NAT (UDP-DNS): Before Translation
NAT: Translation of UDP DNS src 192.168.0.2, dst 192.168.0.10
NAT: Dns type of Query
: dns len=21, id=11, aa=0, tc=0, rd=1, ra=0
: opcode=0, rcode=0, qdcount=1
: ancount=0, nscount=0, arcount=0
NAT (UDP-DNS): After Translation
NAT: Translation of UDP DNS src 192.168.0.2, dst 192.168.0.10
NAT: Dns type of Query
: dns len=21, id=11, aa=0, tc=0, rd=1, ra=0
: opcode=0, rcode=0, qdcount=1
: ancount=0, nscount=0, arcount=0
The DNS response sent by the inside DNS server produced this printout:
NAT: i: udp (10.0.0.5, 53) -> (192.168.0.2, 62586) [11]
NAT (UDP-DNS): Before Translation
NAT: Translation of UDP DNS src 10.0.0.5, dst 192.168.0.2
NAT: Dns type of Response
: dns len=37, id=11, aa=0, tc=0, rd=1, ra=1
: opcode=0, rcode=0, qdcount=1
: ancount=1, nscount=0, arcount=0
query name is [url=http://www.example.com]Example Web Page[/url], qtype=1, class=1
Answer section:
Name='www.example.com'
RR type=1, class=1, ttl=10, data length=4
IP=10.0.0.5
Authority section:
Additional record section:
NAT: DNS resource record 10.0.0.5 -> 192.168.0.10
NAT (UDP-DNS): After Translation
NAT: Translation of UDP DNS src 10.0.0.5, dst 192.168.0.2
NAT: Dns type of Response
: dns len=37, id=11, aa=0, tc=0, rd=1, ra=1
: opcode=0, rcode=0, qdcount=1
: ancount=1, nscount=0, arcount=0
query name is [url=http://www.example.com]Example Web Page[/url], qtype=1, class=1
Answer section:
Name='www.example.com'
RR type=1, class=1, ttl=0, data length=4
IP=192.168.0.10
Authority section:
Additional record section:
[B] Usage scenarios [/B]

The translation of inside-to-outside DNS responses can be used in scenarios where the same inside (or DMZ) DNS serves internal clients and external visitors. In most cases, the same effects can be achieved easier with external hosted DNS services (most DNS registrars offer hosted DNS services); you might need this functionality only in NAT-based multihoming.
Do not forget that the NAT translation of DNS replies works only when the inside server uses NAT (not PAT) translation. Static NAT translations or dynamic translations using pools without the [B]overload[/B] option can be used.
[B] DNS requests to outside DNS server [/B]

When a DNS reply traverses outside-to-inside boundary, the router performing NAT translates all statically mapped inside global addresses into inside local addresses (see Figure 5). The translation is performed only if you use static unconditional NAT translation for the inside server (identical to the inside-to-outside scenario).
[URL="http://wiki.nil.com/Image:DNSNAT_QueryToOutside.png"][IMG]http://wiki.nil.com/wk/images/thumb/9/92/DNSNAT_QueryToOutside.png/550px-DNSNAT_QueryToOutside.png[/IMG][/URL] [URL="http://wiki.nil.com/Image:DNSNAT_QueryToOutside.png"][IMG]http://wiki.nil.com/wk/skins//common/images/magnify-clip.png[/IMG][/URL]
Figure 5: DNS query to outside server


[B] Usage scenarios [/B]

Translation of outside-to-inside DNS responses allow you to design networks where the outside DNS server is used to resolve the IP address of an inside server. For example, the [URL="http://www.example.com/"]www.example.com[/URL] in the Figure 5 could be used as the company’s public web server (hopefully in a more secure environment, not connected to the same inside LAN as the workstations) and the inside clients could access it using the same public DNS server they use to access the Internet.
This technique works only if the publicly-accessible inside server uses static NAT translation with no extra options.

[/LEFT]