Combining DNS and NATD

Jim Roberts punster at
Wed Dec 8 14:16:42 UTC 2004

> From: bob prohaska <bp at>
> Subject: Combining DNS and NATD
> Date: Tue, 7 Dec 2004 02:52:19 +0000 (UTC)
> Keywords:  DNS NATD domain
> Is it possible to use a combined DNS/NATD machine to provide
> Internet access to hosts with registered names but no routeable
> IP numbers?
> The simplest situation would be a single, static IP host which
> serves as gateway to a 192.168.1.x network and also a nameserver
> for a domain. The nameserver would know the private address associated
> with each name, but would have to reply to queries with its own
> address, and some sort of "tag" which would be returned in subsequent
> traffic so it could properly recognize which host on the private
> network is the intended destination.
> Obviously, if the destination hostname is contained in the packet
> the problem is easy, but to my understanding that's not the usual
> case. Is there some other mechanism?
> Apologies if this is naive, I've poked around in Google and found
> nothing....probably for want of appropriate keywords.
> Thanks for reading!
> bob prohaska


NAT is fine for providing internet *access* for hosts on the internel 
network.  (That is, to let internal hosts send outbound connections, as 
another poster has mentioned - this lets internal hosts "see" the internet, 
though the internet can't exactly "see" them.  To the outside world, it 
appears all the traffic is coming from the single static IP).  Unless some 
of those hosts are providing *services* (such as a web server, for example); 
that's really the only case of inbound connections you want getting to 
internal hosts anyway.  And such services are generally on known *ports*. 
So, use IP Port Forwarding to handle those exceptional cases.  (e.g.. if a 
connection request comes in on port 80, forward it to port 80 on the 
appropriate internal host. - repeat for all *services* provided by internal 

This will NOT work if you want to have more than one host handling a given 
service, however.  Thus, your internal network would need to be arranged by 
service, rather than by domain, if you see what I mean.  Put another way, 
you could not have a webserver on more than one machine, done this way.

I hope this answers the question.  If I read correctly, it may not.  It 
sounds like you want to make each internal host correspond to a particular 
"external" DNS hostname, so that, for example, all traffic destined for 
"hostA.example1.tld" (on all ports) gets forwarded to "hostA1.internal," and 
all traffic for "hostB.example2.tld" goes to "hostB2.internal," and so 
forth.  I don't know of any way to do that.

If you figure it out, let us all know, so we can bag the whole IPV6 thing! 

Jim Roberts
Punster Productions, Inc.

More information about the bind-users mailing list