Adding DNS ALG support to Bind?

[Bill]

I was thinking of doing the DNS and the NAT on the same device, then (I 
assume) the DNS could use connection tracking hooks to add 'expectations' to 
the NAT.  Anyhow, that was what I was hoping, but I've not been able to find 
out much about anyone having done such a thing, so I might be dreaming.

/bill


On Sunday 01 November 2015 07:13, Reindl Harald wrote:
> the DNS-ALG can't be handeled on the nameserver itself, it does not know
> anything about the NAT, the device doing the NAT knows
>
> hence the implementation is typically on the edge router
>
> Am 30.10.2015 um 17:38 schrieb Bill:
> > Thanks for your remarks.  What I am actually looking at is research in
> > mobile networks where I'd like devices that may or may not be connected
> > to be accessible by name.  The devices might have different IP addresses
> > when they connect and I don't want any connection to them to be able to
> > keep an old IP, or even know what their IP address is.  By that I mean
> > they should appear as if they initiated the connection from behind the
> > NAT.
> >
> > I picked up on the DNS-ALG spec as possibly addressing part of this and
> > hoped if there was an implementation I'd start with it.  If there isn't
> > anything to help, then I will have to look into implementing my own
> > reversible NAT, using IPtables, NAT, connection tracking and whatever
> > else I find useful.
> >
> > On Saturday 24 October 2015 17:06, Reindl Harald wrote:
> >> you *really* do not want that
> >>
> >> have been punished more than one time by cisco routers having that crap
> >> enabled and breaking DNS in various ways including mangle zone transfers
> >> and set the TTL of every CNAME to 0 instead leave it untouched or just
> >> break zone transfers silently at all
> >>
> >> setup internal and external DNS servers and keep in mind whith DNSSEC
> >> that would not really work likely anyways
> >>
> >> Am 24.10.2015 um 22:49 schrieb Bill:
> >>> I was wondering if anyone has looked at or is is the process of adding
> >>> DNS ALG support, or something similar, to bind?
> >>>
> >>> https://tools.ietf.org/html/rfc2694
> >>>
> >>> What I would like to do to have the ability to query a DNS server
> >>> located behind a NAT, and have it return the IP of the NAT, and setup
> >>> connection tracking in the NAT to pass traffic thru to the host behind
> >>> the NAT.  The effect of this is to have a reversible NAT, ie one that
> >>> provides access to hosts behind the NAT, not by their IP, but by their
> >>> hostname.
> >>>
> >>> (There are other things in DNS ALG, but I am really interesting only in
> >>> the reversible NAT aspect.)
> >>>
> >>> Implementing this seems to need the DNS server (bind in this case), to
> >>> configure the NAT using the 'expect' feature of connection tracking.
> >>> This would permit the following packets to traverse the NAT to the
> >>> host, provided of course they meet the expectation (source, protocol,
> >>> etc).
> >>>
> >>> I'd like to know of anyone has looked at this, is implementing it, or
> >>> knows of any implementations.  I have looked into it but have only seen
> >>> enterprise implementations (Cisco & Juniper), but nothing open-source