Adding DNS ALG support to Bind?

Mark Andrews marka at isc.org
Thu Nov 5 22:44:44 UTC 2015


In message <201511051124.03206.boober95 at rogers.com>, Bill writes:
> Yes, to do a full implementation usable in an enterprise you are correct, but
>  
> what I am looking for is a small demo with only 10 machines or so.  I believe
>  
> your comment about IPv5 is correct too, but I am limited for this trial.
> 
> /bill

Then find a (home) router with NAT and the ability to send dynamic
updates and configure it as described below.  They exist and can
be purchased for less than USD100 and usually less that USD50.  You
may want to add a "_dns-update._udp.example.net SRV" record pointing
to the nameservers as someone convinced the router vendor(s) that
this is how you do it rather than that being a override to the
default of just sending to the nameservers for the record to be
updated.

The nameserver being updated can be inside the network.

If you don't want to buy a router you can use a Linux or BSD box
and configure the DHCP client to update the nameserver on renumbering.

I did that for many years with FreeBSD with two ethernet card,
running named and ISC's dhcp client using the dhcp client hooks.

Mark

> On Wednesday 04 November 2015 15:30, Mark Andrews wrote:
> > If you want this sort of behaviour you are going to have to pay
> > someone someone lots of money to add this sort of functionality to
> > a nameserver and then pay them more money to maintain it.  This
> > sort of thing does not exist in normal nameservers.
> >
> > Nameservers don't normally do other things on DNS lookups.
> >
> > Normally what one does is configure port forwarding in the NAT /
> > open a hole in the firewall.  Some NATs can update the DNS when
> > their external address changes other wise you need a NAT that
> > modifies DNS payloads and that is problematical in lots of ways.
> >
> > NATs really are not something anyone sane wants in their network.
> > Anyone who says they do really doesn't understand IP security. They
> > are a necessary evil with IPv4 as we long ago ran out of addresses
> > to number every device uniquely.
> >
> > Mark
> >
> > In message <201511041050.51346.boober95 at rogers.com>, Bill writes:
> > > See my last posting on what I am trying to achieve, I think in the
> > > interest o f
> > > brevity I may have overly simplified my goal.
> > >
> > > What I want is for the DNS query to automatically configure the NAT to
> > > permit
> > >
> > > the outside connection.  In other words it should, after the DNS query,
> > > look as if the named device had initiated the connection from inside that
> > > NAT.  My
> > >
> > > last post explains the use case a bit better, I hope.
> > >
> > > /bill
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list