09-22-2020 02:15 PM
I'm still trying to get info from a vendor on this and why it is, but has anyone ever seen a DNS A record query for (w/o quotes) "-.-"
Literally that's what the app is querying for. The thing is the app is querying to the vendors server not to any public DNS servers. I can't actually get such a query to run manually to a normal DNS server. Nslookup tells me its invalid. My googles are also failing to find anything to say it's even a valid query.
The standard response on the WAN side of equipment (ISR4Ks, ISR G2s, and Merakis) is the public IP of the device is the A record. I.e. 1.2.3.4.
When said response is translated back to the LAN on an ISR4K is shows up as the IP of the requesting internal device. I.e. 192.168.1.1. It appears NAT is translating the reply for some reason. This breaks the application.
So if anyone has seen such a query before, would love to hear about it, and if you know it's valid and documented in an RFC or something, it would help if I end up going to TAC.
Thanks!
09-22-2020 10:32 PM
Hello,
weird indeed. Which application is doing the query ?
09-23-2020 11:14 AM
The app is WebTitan.
Per an update I just got from them it is an "empty domain" dns request. I still can find no evidence of this being something that is defined in RFCs or used in any other application. They gave me an nslookup command that does work, but only against their servers.
(Command is "nslookup -\")
My main concern is if I engage TAC they are going to say it's custom and they don't have to support it. I wouldn't really disagree with them, but it will be a problem if we can't get this software working.
09-23-2020 06:38 PM
Well my boss, who when doing tech stuff was a server guy, found the answer: https://serverfault.com/questions/17170/cisco-nat-causes-nslookup-to-return-local-ip
Command is different in IOS XE and we don't actually have a static nat like in this example but turning off DNS doctoring fixes it.
09-24-2020 06:25 AM - edited 09-24-2020 06:26 AM
Hello
So just to confirm you wish your internal clients to be able to access this application via its public dns name record that resolves to a public routed ip address?
If so you can to doctor/hairpin you nat dns to achieve this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide