Adding DNS ALG support to Bind?

Grant Taylor gtaylor at
Thu Nov 5 02:09:21 UTC 2015

On 11/04/2015 08:45 AM, Bill wrote:
> You are correct, but in the use case I am looking at there is no Internet 
> connection.

I think "other network(s)" can substitute "Internet" in this context.

> What I am trying to do is to be able to connect to s specific device, say a 
> 'supervisor' by name.  I don't know the IP, and their IP may change, or the 
> supervisor might be a service that isn't always provided by the same device.  
> The IP will change and the DNS will be updated updated as needed

It sounds like you want to connect to the ""device that is currently
hosting a role with the role holding device being dynamic on top of
dynamic IPs.  Correct?

I'm going to assume that you have TTL taken into account.

> I don't want the device/user accessing the 'supervisor' to know the IP 
> address, other than the gateway IP, I don't want them to be able to save an 
> old IP.  Also, I don't what anyone watching the network (it is wireless) to 
> be able to see anything other than gateway addresses.

Outside the NAT, everything will probably look like it's coming from the
NAT's single external IP.

Inside the NAT, you will see traffic to / from the ""supervising device
and from / to an IP outside of the WLAN.  -  So, clever people can
deduce what the surpevising device is from that.

Or were you doing to do something (SNAT?) to hide the external IP?

> Basically, the device/user accessing the 'supervisor' should result in traffic 
> thru the gateway/NAT that looks as if the superviser initiated it, ie the 
> supervisor has been natted, and the reply IP is the gateway.

I think I can guess what you mean, but I suspect that different network
people will interpret that statement differently.  Especially when
considering external access into a NATed device.

> Not sure if I am going about this the right way, but that is my idea.  I 
> appreciate the comments I am receiving here, thanks.

I'm going to assume that we are discussing HTTP traffic for the time being.

I would run an HTTP reverse proxy that accepts the connection on the
outside of the NAT that would then proxy the traffic to the internal
""supervisor host name.

DNS would resolve the internal ""supervisor host name to what ever
device currently has the role and it's associated IP.

The reverse proxy would then initiate traffic from it's internal IP to
the proper supervising device.  Thus the traffic would appear to be sent
and received from addresses local to the network.

I also have questions about the traffic from the other non-supervisory
role devices.  ...  However, we are getting FAR removed from DNS.

Grant. . . .
unix || die

More information about the bind-users mailing list