Newbie: DNS and NAT?
Brad Knowles
brad.knowles at skynet.be
Tue Sep 18 08:31:39 UTC 2001
At 10:13 AM -0100 9/18/01, john-paul delaney wrote:
> Before delving into the Cricket DNS book I've just bought, I'd like to ask
> the list if it's even possible to run a 'public' DNS behind an adsl/router
> that does basic filtering and NAT/PAT? I see I can pass all traffic on
> port 53 to the RH/Apache/Sendmail/Bind9.1.3 (second-hand P100), but am not
> sure if RR's pointing to the only public ip I have (on the router,
> naturally) will suffice?
The problem with trying to do DNS through a NAT device is that if
the machine doesn't see itself on the list of authoritative
nameservers, it will answer non-authoritatively (which would mean
that your secondaries/slaves would consider your primary/master to be
broken, and would be unable to get a good zone transfer from you).
But, if you list the machine's private IP address in the zone as well
as it's public one (assuming that you have a static IP address
assigned to you by your ADSL provider), then people are going to be
unable to contact your primary/master reliably.
It's kind of a "damned if you do, damned if you don't" scenario.
Now, if the Linux box you've set up is doing the NAT itself, then
you should be able to run a copy of BIND which uses the public
un-NAT'ed interface, and assuming that you have a static IP address
assigned to you by your provider, you should probably be okay.
But if you don't have a static IP address, you're screwed again.
In cases like this, you need to find a service provider who will
give you reliable primary DNS, so that GraniteCanyon can be your
secondary. You may end up having to pay for this service. If you
are willing to pay for this service, I'd suggest you check out the
folks at Nominum, who have different options available for their
Global Name Service facilities that they offer.
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list