NAT and Question Section Mismatch

John Wiles john at
Wed Apr 22 13:42:16 UTC 2020

Thank you to everyone taking the time to reply and provide guidance with this problem.

Our cisco guy turned off alg on the nat for dns and our reverse dns lookups are now working properly.

Just to follow up, found this after searching using Ondřej Surý's description and Reindl Harald's replies. Amazing that cisco actually mentioned it in a document:

NAT application awareness includes support for the Domain Name System (DNS). An application-level gateway (ALG) translates IP addresses and port numbers embedded in the DNS payload when a NAT mapping is processed.

With CSCuc05660, for DNS payloads that are address-translated, the DNS time to live (TTL) value in CNAME entries is passed through. Before CSCuc05660 and before support for the ip nat service dns-reset-ttl command was added, the TTL value in the CNAME entries was reset by default.

> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at] On Behalf Of
> Reindl Harald
> Sent: Tuesday, April 21, 2020 7:37 PM
> To: bind-users at
> Subject: Re: NAT and Question Section Mismatch
> Am 21.04.20 um 21:30 schrieb Ondřej Surý:
> > There was a setting in Cisco which would handle the host behind the
> > NAT differently when the DNS traffic passed the matching NAT.
> >
> > I found a bug in the Cisco devices more than 10+ years ago when it
> > would mangle the TTL to `0`.  I don’t really remember the details
> > though, but it’s not only the `ip inspect` that might be at fault.
> cisco dns ALG even mangles the TTL of CNAMES within a zone-transfer which
> was the reason to set up a vpn peer to avoid zero TTLs on public slaves
> no ip nat service alg tcp dns
> no ip nat service alg udp dns
> _______________________________________________
> Please visit to unsubscribe
> from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list