BIND behind NAT (see also: DNS behind NAT)

Mon Aug 6 11:42:24 UTC 2001

George,
If you go down this route, then you will need to allow traffic to your
DNS/mailserver to pass through unNATted.  This will give you a better DNS
solution than relying on the Cisco router to translate since Cisco only
support A and PTR records, but it means that your BIND config is more
complex.  These days you would probably use BIND 9 views rather than
separate named instances.
Note that if you use a dynamic pool for your inside clients, then you
should apply an acl on the Cisco for the NAT pool which disallows the
DNS/mailserver address.

Simon,
apologies, I messed up by replying to George earlier without copying the
group so you missed:

George:
> THE ANSWERS ARE ALL TRUE EXCEPT:
>
> 2a inside
>
> ie. I have all clients and my single dns,mail server sitting inside.
> I want the dns,mail server (rh70) to be used as a dns server on the
outside
> as well as the inside.
> I have my clients and hosts running 192.168.0.x ips
>
> I have made static NAT translation on the cisco but my query is the
> following:
>
> What will be the forward & reverse zone files?
>
> 1. Localhost reverse 0.0.127.inaddr-arpa.db
> 2. Reverse zone 0.3.5.232.inaddr-arpa.db
[REAL INTERNET IPS]
> 3. Reverse zone 0.168.192.inaddr-arpa.db
[PRIVATE IPS - LAN]
> 4. Forward zone domain.com.db
[REAL INTERNET IPS]
>
> Is the above correct?

rgds
Marc TXK

                    Simon Waters                                                                                      
                    <Simon at wretched.de        To:     undisclosed-recipients:;                                        
                    mon.co.uk>                cc:                                                                     
                    Sent by:                  Subject:     Re: BIND behind NAT                                        
                    bind-users-bounce@                                                                                
                    isc.org                                                                                           

                    03/08/2001 22:33                                                                                  

George Zaroubi wrote:
>
> Thanks for the informative response, I am using static NAT for the DNS/
Mail
> Servers. I had already tumbled to that CISCO document - what a nightmare!
> Isn't there something much more simple?

It only applies to the dynamic NAT, and I wrote the web page
because whilst the CISCO document is accurate it is also very
heavy. The main thing is you aren't doing this AFAICT.

> I am using 20 clients with Private Ips - have a range of 16 addresses
(real)
> and am using NAT on the Cisco for the possibility of future growth. I
don't
> have a DMZ and would like to service both the outside world and the local
> clients with this DNS server?

No DMZ - hmm, my lets sell him security consulting bells are
ringing *8-)

> Do I have to create two instance of BIND running? What configuration
files
> would I need?

You definitely don't need two instances of BIND, but it may be
easier and more secure that way.

Personally I'm a big fan of shipping your external DNS to your
ISP. They typically have people who do it day in, day out, and
appropriate redundant servers, and it saves you bandwidth (Just
a little).

A typical config maybe something like...

Consider one BIND instance serving the external requests, that
just serves data, and gets secondaried by your other Internet
sited DNS servers, if you must manage this bit yourself.

Use another (pair) of BIND instances that don't answer requests
from the Internet to serve the internal versions of these names,
and to query the Internet for your servers.

--
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework