Date: Tue, 7 Aug 2001 00:11:37 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Mike Roest" <bsd-lists@blahz.ab.ca>, <freebsd-questions@FreeBSD.ORG> Subject: RE: natd redirect_port only works from the outside Message-ID: <002401c11f10$32f8f9c0$1401a8c0@tedm.placo.com> In-Reply-To: <NCEHIMLGAONJIIDNJCIJMEBPDFAA.bsd-lists@blahz.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Another thing that is worth mentioning in the DNS trickery department is that if your running NAT on a Cisco router, and the DNS server is outside, if you have static translation maps between inside and outside addresses on the Cisco device, it will muck with the DNS calls from the inside hosts. That is, suppose you have a host at 192.168.1.1 querying a name of www.foo.com which maps to a legal address of 25.25.25.1 which has a static NAT mapping to 192.168.1.5 on the Cisco. The host issues a DNS query to 24.25.26.7 and the response comes back saying to go to 25.25.25.1 - well the Cisco will see that this belongs to a static map and rewrite the payload of the DNS response packet that is returning to 192.168.1.1 so that 25.25.25.1 is replaced with 192.168.1.5 Thus the inside host at 192.168.1.1 sends traffic to 192.168.1.5 directly. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: Mike Roest [mailto:bsd-lists@blahz.ab.ca] >Sent: Tuesday, August 07, 2001 12:04 AM >To: freebsd-questions@FreeBSD.ORG >Cc: Ted Mittelstaedt >Subject: RE: natd redirect_port only works from the outside > > >Yeah, > I suppose I didn't really think of that, that is really a more KISS >solution then 2 processes/servers. Come to think of it I would probably go >with that solution if it is feasible in the situation. But of course there >are going to be situations in which it wouldn't work but in general it's >probably the least time consuming and requires the least upkeep. > >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Ted >Mittelstaedt >Sent: Tuesday, August 07, 2001 12:54 AM >To: Mike Roest; freebsd-questions@FreeBSD.ORG >Subject: RE: natd redirect_port only works from the outside > > >In actual practice I have found that if you do something like this: > >www IN A 63.105.29.28 >www-in IN A 192.168.0.10 > >and train the users to use > >http://www.foobar.com/blahblah > >when they are outside and > >http://www-in.foobar.com/blahblah > >when they are inside, that they quickly become accustomed to this and >it is not generally a problem. Most people use bookmarking heavily >or you can create icons on their desktop with the internal IP number >URL and they end up never typing in the URL anyway. > >And of course you don't use absolute references in your HTML code, you >use relative references and the web browser takes care of the problem >for you. > >Ted Mittelstaedt tedm@toybox.placo.com >Author of: The FreeBSD Corporate Networker's Guide >Book website: http://www.freebsd-corp-net-guide.com > > >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Roest >>Sent: Monday, August 06, 2001 11:49 PM >>To: freebsd-questions@FreeBSD.ORG >>Subject: RE: natd redirect_port only works from the outside >> >> >>The problem with that is if you assign a pair of records like this: >> >>www IN A 63.105.29.28 >>www IN A 192.168.0.10 >> >>There is a 50/50 chance (give or take) that an external host will do a dns >>lookup and grab the internal 192.168.0.10 IP. There are 2 way's around >>this. >> >>1) Run a internal only DNS server that all hosts behind the gateway use to >>lookup local services. >>2) run 2 bind processes on the gateway box. One process bound to the >>external IP nic and one bound to the internal IP NIC. This is accomplished >>through the listen-on directive in bind 9 found on page 54 of the bind 9 >>reference manual. Then assign in your whois record the external box as the >>primary DNS server for the zone. >> >>In both situations you will have to assign all the internal boxes to use >the >>Internal only DNS server as their main DNS. So most likely the internal DNS >>would need to be a caching server as well. >> >>Hope this helps >> >>--Mike >> >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark >>Sent: Tuesday, August 07, 2001 12:37 AM >>To: Tabor Kelly >>Cc: freebsd-questions@FreeBSD.ORG >>Subject: Re: natd redirect_port only works from the outside >> >> >>On Mon, Aug 06, 2001 at 06:14:13PM -0700, Tabor Kelly wrote: >> >>[snip] >> >>> > In split DNS, somehost.mydom.org will >>> > map to 63.105.29.28 for the outside world and 192.168.0.10 (or >>> > whatever) for your local net. >>> >>> I understand this, I was wondering if this can be done off of one bind >>> service, or if I will need to run 2. I am sorry if this is a silly >>> question, I have not set bind up yet. >> >>Yes, you can do it with one named(8) process. You pretty much have to >>since only one can be listening on port 53 at a time. >>-- >>Crist J. Clark cjclark@alum.mit.edu >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002401c11f10$32f8f9c0$1401a8c0>