Address sorting.

[Mark Andrews]

> Greetings all,
> 
> I have run into an interesting situation for which no solution plainly
> presents itself.
> 
> In the interest of security i am using NAT to wall off my hosts, any
> host that needs incoming connections receive openings in the firewall on
> a port by port basis.  My Router will not allow the same packet to be
> NATed twice.  That is, any packet from internal destine for a address
> that is being forwarded to an internal host gets NATed once going out
> then would be NATed again in its way back in.  The router sees this and
> drops the packet.  I have always thought the solution to use the DNS
> server to always give the internal address of a host if the query
> originated from internal and to always give the external IP if the query
> originated from a non internal address.  I see how to use address
> sorting to prefer the internal addresses from internal hosts.  What i
> have yet to figure out is how to make 100% sure that no internal
> addresses are returned if the query comes from a non internal address.
> 
> No email this long would be complete without psudocode!
> In essence this is what i am shooting for:
> If query is from internal then prefer internal address.
> If query is not from internal then prefer external addresses.
> 
> Thanks in advance,
> -Mark

	Solution 1:  Replace the NAT with a stateful firewall and
	get enough address space to serve your needs.  The NAT just
	adds packet mangling and that is where your problem is.

	Solution 2:  maintain internal versions of your public zones
	(with or without views) which have the internal addresses rather
	than the public addresses.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org