Am 11.06.2014 12:21, schrieb Jost Krieger: > On Wed Jun 11 12:03:24 2014, Reindl Harald wrote: > >> Cisco routers by default mangle DNS traffic, break zone transfers >> or even put befor all CNAME blocks a $TTL 0 line never appeared >> on the master until you disable DNS ALG for UDP and TCP > > I believe that Cisco equipment will do such things, but I doubt it's the > routers. Unless you plug a firewall card in
off-topic but as response "i thought they know better" any bigger Cisco router i saw the last 8 years and even some smaller ones without rack-mount did this as default if NAT is enabled until you force the two commands below the reason likely is that if you have a public DNS server you are asking from the LAN responding with a public address the Cisco translates the repsonse to the NAT-mapping instead just allow the public IP from the LAN, but that's no valid reason to mangle outgoing DNS traffic additionally that may become "funny" if in the future DNSSEC is used "no ip nat service alg udp dns" "no ip nat service alg tcp dns" _______________________________________ the UDP ALG leads to silently supress answers of PTR's with public IP's to the WAN, larger UDP responses (EDNS) times out as well as zone-transfers the TCP ALG leads to a AFXR zone transfer looks like below while the master has only one TTL line with 86400 on top of the zone file, in that case only CNAMES are mangelded and after type the commands above all is fine rhsoft.net. 86400 IN A 91.118.73.4 **.rhsoft.net. 0 IN CNAME **.rhsoft.net. **.rhsoft.net. 0 IN CNAME **.rhsoft.net. ................................ testserver.rhsoft.net. 86400 IN A 84.113.92.77 **.rhsoft.net. 0 IN CNAME **.rhsoft.net.
signature.asc
Description: OpenPGP digital signature