Newbie: DNS and NAT?

Brad Knowles brad.knowles at skynet.be
Tue Sep 18 08:31:39 UTC 2001 

At 10:13 AM -0100 9/18/01, john-paul delaney wrote:

>  Before delving into the Cricket DNS book I've just bought, I'd like to ask
>  the list if it's even possible to run a 'public' DNS behind an adsl/router
>  that does basic filtering and NAT/PAT?  I see I can pass all traffic on
>  port 53 to the RH/Apache/Sendmail/Bind9.1.3 (second-hand P100), but am not
>  sure if RR's pointing to the only public ip I have (on the router,
>  naturally) will suffice?

	The problem with trying to do DNS through a NAT device is that if 
the machine doesn't see itself on the list of authoritative 
nameservers, it will answer non-authoritatively (which would mean 
that your secondaries/slaves would consider your primary/master to be 
broken, and would be unable to get a good zone transfer from you). 
But, if you list the machine's private IP address in the zone as well 
as it's public one (assuming that you have a static IP address 
assigned to you by your ADSL provider), then people are going to be 
unable to contact your primary/master reliably.

	It's kind of a "damned if you do, damned if you don't" scenario.


	Now, if the Linux box you've set up is doing the NAT itself, then 
you should be able to run a copy of BIND which uses the public 
un-NAT'ed interface, and assuming that you have a static IP address 
assigned to you by your provider, you should probably be okay.

	But if you don't have a static IP address, you're screwed again.


	In cases like this, you need to find a service provider who will 
give you reliable primary DNS, so that GraniteCanyon can be your 
secondary.  You may end up having to pay for this service.  If you 
are willing to pay for this service, I'd suggest you check out the 
folks at Nominum, who have different options available for their 
Global Name Service facilities that they offer.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

More information about the bind-users mailing list