Problem BIND behind NAT

Mon May 8 12:09:11 UTC 2000

Hi there,

I have a strange problem I would enormously appreciate some help with.

I am running BIND 8 on a FreeBSD machine behind a DSL router which does
NAT.  The router has a registered IP on its external interface, and
a 192.168.x.x IP on the inside.  It passes everything reaching its external
if to the server, regardless of protocol, and passes out everything
reaching its internal if.  NAT works great, and all udp/tcp/icmp traffic
to/from the server passes perfectly.

My reason for setting up DNS on the server is to provide forward lookups
for the external IP of the router.  That is, I want to register that
IP as the authoritative NS for some domain "foo.com", and when someone
wants to look up www.foo.com, they are passed to that IP (and by extension,
the server inside, since the NAT box passes everything in to that machine,
regardless.)

I believe that I have BIND configured correctly, since putting another
host on the internal 192.168.x.x net, pointing its nslookup at my NS'
192.168.x.x IP, and asking it to figure out some outside address
(www.cnn.com, etc) works great.  It's a pretty simple configuration in 
any case.  However, when I do an nslookup on a client somewhere on the
internet and point it to my DSL router's external IP as its nameserver,
asking it to resolve "www.foo.com", I get no reply.

A tcpdump on the server's interface shows an authoritative answer going
out with the correct record, but it never reaches my client outside.  I
don't believe that it's a NAT problem, since I've tried connecting via
netcat to/from any number of both tcp and udp ports between a machine on
the internet and the external router IP/my server, which always works.

I've also, just for gags, tried the same setup with an NT DNS server (ugh)
with the same result.

Some background info:  the router's external IP is _not_ registered as
the authoritative NS for my domain, nor do I have reverse lookup authority
over that IP.  I figured that shouldn't be a problem if you explicitly
specify a nameserver.

What I do see when sniffing on my server's interface is an inordinate amount
of traffic with my root servers, as well as with the name server which
is authoritative for the domain on which the client sits (the one on the
internet on which I'm doing the nslookup.)  

Could it be that, since I don't have reverse authority over the external
IP of the router, the client's nameserver can't resolve the name of the
server doing the reverse query and times out?  Am I missing something 
horribly simple?  The docs on DNS and NAT are a bit scanty, but I'd
appreciate any help.

Thanks very much,

-John
-- 
This is an official Press Release of Z.O.G. Laboratories International
			Department of Propaganda
                	ZOGNET: zog.net, zog.ch