Dynamic DNS and NAT

Herb Martin news at LearnQuick.com
Wed Jul 30 20:52:23 UTC 2003


> The network is a CDMA2000 mobile system.  This particular system only
> has around 10-20,000 active data subscribers.  The data susbcribers
> are given a private (10.0.0.0) address.  A firewall performs NAT on
> subscriber traffic before reaching the Internet gateway router.  A DMZ
> exists off the firewall with the DNS servers.  The subscribers are
> mapped to only a few public IP addresses.  My understanding is that
> Dynamic DNS can allow external hosts to send data to subscribers via
> host name.

No, not without some extra code on the NAT beyond that normally
included in such software.

In order for the NAT to transfer unsolicited (initiated from outside)
messages to the internal users you must map either (entire) specific
addresses or specific address/port combinations to internal addresses
and ports.

Now -- I can imagine, and since it's conceivable someone might have
done it, software that would do the equivalent of "host headers" to use
DNS names for distinguishing many web sites on the same IP/port but
it would need to be special purpose. (Like the example HTTP idea.)

Many protocols have no "host headers" (there is not DNS name IN
THE REQUEST.)  In fact, older browsers (circa 1.0) didn't send the
needed host header.

> When used with DHCP service, the DHCP server will update
> DNS with correct IP address of subscriber host name whenever addresses
> are allocated.

Sure -- but what protocol are we using?  Probably email only right?
My Spint PCS phone can accept email -- so somehow they map the
"dns" name xxxyyyzzzz at pcs.sprint.com to an "IP address" for that
phone.

Probably need a custom email server that sits on the boundary,
accepts the incoming email on public-addess/port-25 and forwards
it to an internal address based on DNS name.

My guess is ATT and Sprint do it (somewhat) that way.

> External service would only see public IP address of Firewall NAT
> interface.  Because each subscriber is mapped to separate ports on the
> same address I don't see how DNS can keep track of the relevant
> information.

Ok, so you map 15,000 ports to 15,000 devices on a SINGLE
port -- you have handled ONE protocol.  Maybe you could do
4 protocals per device and all clients would need to KNOW and
SPECIFIC the protocol specific (and unusual) port for each desired
protocol.

You would connect to device #1 on:
    HTTP by  http://externalIP:10001
    FTP    by  ftp://externalIP:10002
    etc      by  etc://externalIP:10003

You would connect to device #2 on:
    HTTP by  http://externalIP:10005
    FTP    by  ftp://externalIP:10006
    etc      by  etc://externalIP:10007

Custom services would be far more flexible.  An SMPT
server that maps only SMTP, etc.

> Also port mapping to subscribers is dynamic so nailed up
> ports on firewall don't exist unless statically mapped.
>
> I would appreciate any opinions on this logic.

See above....



More information about the bind-users mailing list