NAT and Question Section Mismatch

Reindl Harald h.reindl at
Tue Apr 21 23:37:10 UTC 2020

Am 21.04.20 um 21:30 schrieb Ondřej Surý:
> There was a setting in Cisco which would handle the host behind
> the NAT differently when the DNS traffic passed the matching NAT.
> I found a bug in the Cisco devices more than 10+ years ago when
> it would mangle the TTL to `0`.  I don’t really remember the details
> though, but it’s not only the `ip inspect` that might be at fault.

cisco dns ALG even mangles the TTL of CNAMES within a zone-transfer
which was the reason to set up a vpn peer to avoid zero TTLs on public

no ip nat service alg tcp dns
no ip nat service alg udp dns

More information about the bind-users mailing list