DNS behind NAT

Marc.Thach at radianz.com Marc.Thach at radianz.com
Mon Aug 6 10:59:01 UTC 2001



George,
Given that you want outside access to your inside DNS/mailserver I'd
categorise 2a as both.  Anyway, Cisco's doco states that A and PTR records
are NATted OK,  which implies that 0.3.5.232.inaddr-arpa.db is not
required, but I haven't tried this yet myself.

You will also need a root hints file, and to get the public addresses
delegated to your NATted DNS address.  Personally I find it easier to name
my PTR zones using the network address rather than the domain name e.g.
db.232.5.3 but others on the list may disagree.

rgds
Marc TXK



                                                                                                                 
                    "George                                                                                      
                    Zaroubi"             To:     <Marc.Thach at radianz.com>                                        
                    <george at zarou        cc:                                                                     
                    bi.com>              Subject:     DNS behind NAT                                             
                                                                                                                 
                    03/08/2001                                                                                   
                    16:07                                                                                        
                    Please                                                                                       
                    respond to                                                                                   
                    george                                                                                       
                                                                                                                 
                                                                                                                 




Marc,

Initially I would like to thank you for your feedback.

You sent:


George,
1. How big is your public address range?
2. Does your DNS server provide authoritative nameservice for your domains?
2a.  If so, where are the clients located? inside and/or outside the NAT?
2b.  If so, where are the hosts located? inside and/or outside the NAT?
2c.  How many hosts?
3. Does your DNS provide caching service for your own clients?
3a.  If so, where are the clients located? inside and/or outside the NAT?

If the answers are as follows:
1. bigger than (2c)
2. Yes
2a.  Both
2b.  Inside
2c.  fewer than (1)
3. Yes
3a.  Inside

THE ANSWERS ARE ALL TRUE EXCEPT:

2a inside

ie. I have all clients and my single dns,mail server sitting inside.
I want the dns,mail server (rh70) to be used as a dns server on the outside
as well as the inside.
I have my clients and hosts running 192.168.0.x ips

I have made static NAT translation on the cisco but my query is the
following:

What will be the forward & reverse zone files?

1. Localhost reverse 0.0.127.inaddr-arpa.db
2. Reverse zone 0.3.5.232.inaddr-arpa.db
[REAL INTERNET IPS]
3. Reverse zone 0.168.192.inaddr-arpa.db
[PRIVATE IPS - LAN]
4. Forward zone domain.com.db
[REAL INTERNET IPS]

Is the above correct?

Thanks in advance.


George Zaroubi








More information about the bind-users mailing list