dns server behind a firewall with a non routed ip?

Marc Thach Xuan Ky marc.thach at tesco.net
Thu Dec 6 20:28:03 UTC 2001


Brad,
I spent a couple of hours wrestling with IOS policy routing and getting
nowhere.
A second routable address is required else the NAT module picks up the
packet
before the policy routing is performed.
rgds
Marc TXK

Marc Thach Xuan Ky wrote:

> Brad,
> Don't actually know when you've only got one address, but the idea is to pass
> traffic to the DNS server without traversing the NAT module.  I think possibly
> WCCP might help, or possibly policy routing, but I haven't tried it yet, maybe
> I will soon.  I can't say more than this at the moment, mainly due to my
> three-year old pulling me away from the PC
> I'll be in touch tomorro
>
> Brad Davis wrote:
>
> > hmm.. damn.. this uses a CBOS.. can you give me and idea how I would do it
> > on a regular IOS device? that way I can call cisco and have a clue what I'm
> > talking about?
> >
> > Thanks,
> > Brad
> > ----- Original Message -----
> > From: Marc Thach Xuan Ky <marc.thach at tesco.net>
> > To: Brad Davis <lists at linuxinstruct.com>
> > Cc: <bind-users at isc.org>
> > Sent: Tuesday, December 04, 2001 12:02 PM
> > Subject: Re: dns server behind a firewall with a non routed ip?
> >
> > > Brad,
> > > I'm not familiar with the non-IOS ciscos.  I suspect that your are not
> > going to
> > > succeed here.  Is there any way you could run your DSL out of another
> > device?
> > > Marc TXK
> > >
> > >
> > > Brad Davis wrote:
> > >
> > > > I have to use nat I don't have a choice. I only get one IP and that is
> > for
> > > > my router. btw this is off my DSL so I'm using a Cisco 678 Router.
> > > >
> > > > This is my IOS:
> > > > IP NAT = enabled
> > > > IP NAT Entry = 192.168.2.2, 80, *, 80, *;192.168.2.2, 22, *, 22,
> > > > *;192.168.2.2, 21, *, 21, *;192.168.2.2, 53, *, 53, *;
> > > >
> > > > Thanks,
> > > > Brad
> > > > ----- Original Message -----
> > > > From: Marc Thach Xuan Ky <marc.thach at tesco.net>
> > > > To: Brad Davis <lists at linuxinstruct.com>
> > > > Cc: <bind-users at isc.org>; Simon Waters <Simon at wretched.demon.co.uk>
> > > > Sent: Tuesday, December 04, 2001 5:18 AM
> > > > Subject: Re: dns server behind a firewall with a non routed ip?
> > > >
> > > > >
> > > > > Brad,
> > > > > My view on this is that you shouldn't NAT the DNS server at all,
> > static or
> > > > > dynamic it's all the same, if you NAT the DNS, the ALG (which
> > translates
> > > > DNS
> > > > > responses) is used.  I'm not sure exactly how you're forwarding the
> > the
> > > > DNS
> > > > > requests, publishing your IOS config would help.
> > > > > rgds
> > > > > Marc TXK
> > > > >
> > > > > Brad Davis wrote:
> > > > >
> > > > > > yeah.. I'm using a cisco router.. I would like to see those
> > > > references...
> > > > > >
> > > > > > what do you mean about dynamic nat? how is that differnet from
> > regular
> > > > nat?
> > > > > >
> > > > > > Brad
> > > > > > ----- Original Message -----
> > > > > > From: Simon Waters <Simon at wretched.demon.co.uk>
> > > > > > To: Brad Davis <lists at linuxinstruct.com>
> > > > > > Sent: Tuesday, December 04, 2001 2:33 AM
> > > > > > Subject: Re: dns server behind a firewall with a non routed ip?
> > > > > >
> > > > > > > Brad Davis wrote:
> > > > > > > >
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > I'm attempting to setup bind 8.2.3.
> > > > > > > >
> > > > > > > > I have it behind a router, on a box with an ip of 192.168.2.2
> > and
> > > > I'm
> > > > > > > > forwarding port 53 from the router to this box. For some reason
> > bind
> > > > > > isn't
> > > > > > > > answering any of the dns requests from the outside world.
> > > > > > > >
> > > > > > > > At first I couldn't do a 'nslookup - 192.168.2.2', only a
> > > > 'nslookup -
> > > > > > > > 127.0.0.1'.. but then I create a reverse dns zone for 192.168.2
> > and
> > > > > > added an
> > > > > > > > entry for .2. then I could do an 'nslookup - 192.168.2.2'. So I
> > > > setup a
> > > > > > > > slave zone for the external ip address of my router and copied
> > that
> > > > dns
> > > > > > info
> > > > > > > > over.. thinking that if I had that info I could do use it from
> > > > outside
> > > > > > my
> > > > > > > > network. Well now that I did that bind will respond but it
> > changes
> > > > the
> > > > > > ip of
> > > > > > > > what the host is to the external ip of my router. So this is
> > what I
> > > > get:
> > > > > > > > note the ips and the server name have been changed.
> > > > > > > >
> > > > > > > > microsoft.com
> > > > > > > > Server:  my.server.com
> > > > > > > > Address:  12.34.56.78
> > > > > > > >
> > > > > > > > Name:    microsoft.com
> > > > > > > > Addresses:  12.34.56.78, 12.34.56.78, 12.34.56.78, 12.34.56.78,
> > > > > > 12.34.56.78
> > > > > > > >
> > > > > > > > any ideas on why this is happening? and how I could set this up
> > > > better?
> > > > > > >
> > > > > > > I've seen similar reports with Cisco Dynamic NAT - you shouldn't
> > > > > > > use the dynamic NAT unless that is what you need, I have
> > > > > > > references to Cisco web site if you are using a Cisco router.
> > > > > > >
> > > > > > > Assuming the responses are okay internally try posting the
> > > > > > > router configuration.
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >


More information about the bind-users mailing list