Mark_Andrews at isc.org
Sun Nov 27 22:01:54 UTC 2005
> Greetings all,
> I have run into an interesting situation for which no solution plainly
> presents itself.
> In the interest of security i am using NAT to wall off my hosts, any
> host that needs incoming connections receive openings in the firewall on
> a port by port basis. My Router will not allow the same packet to be
> NATed twice. That is, any packet from internal destine for a address
> that is being forwarded to an internal host gets NATed once going out
> then would be NATed again in its way back in. The router sees this and
> drops the packet. I have always thought the solution to use the DNS
> server to always give the internal address of a host if the query
> originated from internal and to always give the external IP if the query
> originated from a non internal address. I see how to use address
> sorting to prefer the internal addresses from internal hosts. What i
> have yet to figure out is how to make 100% sure that no internal
> addresses are returned if the query comes from a non internal address.
> No email this long would be complete without psudocode!
> In essence this is what i am shooting for:
> If query is from internal then prefer internal address.
> If query is not from internal then prefer external addresses.
> Thanks in advance,
Solution 1: Replace the NAT with a stateful firewall and
get enough address space to serve your needs. The NAT just
adds packet mangling and that is where your problem is.
Solution 2: maintain internal versions of your public zones
(with or without views) which have the internal addresses rather
than the public addresses.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users