Moving DNS behind NAT

JJ none at
Mon May 15 01:28:20 UTC 2006

If you're talking about your internal hosts that use those servers to 
resolve names, it's good practice for them to use the internal IP addresses.

Note that moving them behind a stateful firewall can cause some issues for 
internal hosts because of round-robin DNS systems on the Internet. Consider 

1. Internal server queries an Internet round-robin server on IP address "A" 
for a name. The round-robin system causes the server on address "B" to 

2. The stateful firewall knows it queried "A" and waits patiently for a 
reply from "A" that never comes. It sees the reply from "B" and drops it as 

I don't know how common this is anymore, but it caused us an issue when did it. That's when we found out our ISP had changed the IP 
addresses of the forwarders without telling us. There was an MS article 
about this awhile back as well. The "fix" is to use forwarders that are not 
behind a stateful firewall.


"Daniel Ström" <daniel at> wrote in message 
news:e47m4e$2lsp$1 at
>I have two DNS servers (BIND 9.2.2) that have static public IP:s. I
> now have to move them behind a router but i can still use the same
> static IP:s but i have to use NAT for them. I will change the IP on
> the machines to 192.168.x.x adresses and NAT the public IP:s with the
> firewall to those two adresses/machines/DNS-servers.
> What needs to be changed here? Do i need to change all my A and NS
> records to the internal 192.182.x.x or shouldnt they still be using
> the external IP that is mapped with NAT?
> / Daniel

More information about the bind-users mailing list