NAT and Question Section Mismatch
Reindl Harald
h.reindl at thelounge.net
Tue Apr 21 23:37:10 UTC 2020
Am 21.04.20 um 21:30 schrieb Ondřej Surý:
> There was a setting in Cisco which would handle the host behind
> the NAT differently when the DNS traffic passed the matching NAT.
>
> I found a bug in the Cisco devices more than 10+ years ago when
> it would mangle the TTL to `0`. I don’t really remember the details
> though, but it’s not only the `ip inspect` that might be at fault.
cisco dns ALG even mangles the TTL of CNAMES within a zone-transfer
which was the reason to set up a vpn peer to avoid zero TTLs on public
slaves
no ip nat service alg tcp dns
no ip nat service alg udp dns
More information about the bind-users
mailing list