Cisco Routers, NAT and DNS... going off topic a bit.

Marc.Thach at radianz.com Marc.Thach at radianz.com
Mon Jul 2 15:27:33 UTC 2001 


Micheal,
I don't want to get into a big personal argument in defence of Cisco,
particularly since they haven't bought me a beer in months :-)   I grant
you that maybe Cisco should have made the ALG defeatable for you and those
with the same problem that you have, whatever that is, but I think you're
being pretty unreasonable.

> Well, First NAT should do translating of IP address from private to
public
> and public to private. This is what NAT was created for.

This is like saying that IP was designed to deliver packets, true at a very
naive level but not very illuminating, given that the overall purpose was
to enable government communications to function even after a nuclear strike
on the US. About NAT, RFC1631 says somewhere near the start: "The two most
compelling problems facing the IP Internet are IP address depletion and
scaling in routing", not "let's all translate IP headers for fun and
confusion".  If this is the basis of your argument, then any further
conclusions built on this will be flawed.

> It was not created
> to translate application level DNS queries. And if Cisco decided to add
> this, then, at least add it so it works. It should not F'up DNS queries.
> This is not within the realm of NAT or PAT. This is in affect, a Cisco
> "feature" that totally Screws up the ability to NAT a DNS server.

To be of use to solve a wide set of problems, ALGs are necessary.  Do you
object to the ALG that "F'up"s the ftp control channel?  DNS translation
isn't the goal, but it is an integral part of the solution.

> Cisco
> should step up to the plate an allow their customers to turn off this
> useless "feature".

I guess they didn't foresee your requirement.

> By the way, views will not work either. I can give you
> more of a technical reason where specifically it is broken if you wish.

I didn't suggest that views would work for you, merely that in the absense
of views, with one DNS serving clients inside and outside the NAT, DNS
translation is necessary.  I am certainly curious as to the nature of your
problem.

> Why NAT my DNS servers? Well, why not?

Why not? because in your case it doesn't work! Isn't that a good enough
reason?  NAT is a necessary evil, only use where necessary.  It breaks the
end-to-end paradigm on which IP was founded.  "There are limitations to
using the translation method." - RFC 3022.

> Why should Cisco limit what I can
> accomplish with other vendor's routers that don't have this stupid
> "feature". They added code that beaks how 99% of people use NAT for a
very
> rare and temporary case.

"Traditional NAT" as described in RFC3022 does not require the ALG, and the
Cisco ALG does not operate in this case.  If you find that it does, then
you have a different version of IOS to me, and you should raise a bug
report to Cisco.  Equally, if the ALG is not working as described in some
other manner, then there may be a bug and I for one would be very
interested to know about it.

> I am surprised Cisco would do something so
> irresponsible. I am a Cisco certified CCNP. I am seriously reconsidering
> Cisco as a whole...

"DNS/ALG -  a special case of the NAT/ALG, where an ALG for the DNS service
interacts with the NAT component to modify the contents of a DNS response."
- RFC2993
"Address translation is application independent and often accompanied by
application specific gateways (ALGs) to perform payload monitoring and
alterations." - RFC3022.
etc, etc, there are loads more references.  Cisco are in good company with
this feature.

Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent

More information about the bind-users mailing list