Moving DNS behind NAT
none at giganews.com
Mon May 15 01:28:20 UTC 2006
If you're talking about your internal hosts that use those servers to
resolve names, it's good practice for them to use the internal IP addresses.
Note that moving them behind a stateful firewall can cause some issues for
internal hosts because of round-robin DNS systems on the Internet. Consider
1. Internal server queries an Internet round-robin server on IP address "A"
for a name. The round-robin system causes the server on address "B" to
2. The stateful firewall knows it queried "A" and waits patiently for a
reply from "A" that never comes. It sees the reply from "B" and drops it as
I don't know how common this is anymore, but it caused us an issue when
www.schwab.com did it. That's when we found out our ISP had changed the IP
addresses of the forwarders without telling us. There was an MS article
about this awhile back as well. The "fix" is to use forwarders that are not
behind a stateful firewall.
"Daniel Ström" <daniel at shift.se> wrote in message
news:e47m4e$2lsp$1 at sf1.isc.org...
>I have two DNS servers (BIND 9.2.2) that have static public IP:s. I
> now have to move them behind a router but i can still use the same
> static IP:s but i have to use NAT for them. I will change the IP on
> the machines to 192.168.x.x adresses and NAT the public IP:s with the
> firewall to those two adresses/machines/DNS-servers.
> What needs to be changed here? Do i need to change all my A and NS
> records to the internal 192.182.x.x or shouldnt they still be using
> the external IP that is mapped with NAT?
> / Daniel
More information about the bind-users