Hidden IP?

  • Thread starter Thread starter Jon Glazer
  • Start date Start date
J

Jon Glazer

I have a machine with 2 nics in it. One nic is external (ie, has an
internet accessible IP address) and one is local (connected to my local
net).

What is the best way to configure the DNS in this box such that all the
computers that are local (on our network) hit it using the local
192.168.0.whatever IP address and when outside the network (on the internet)
use the other IP but both are named the same (ie, mymachine.mydomain.com).

I know I can create 2 A records but this seems to broadcast the 192.168 IP
on the internet which is not really what I want.

Any ideas?

Thanks!
Jon
 
In
Jon Glazer said:
I have a machine with 2 nics in it. One nic is external (ie, has an
internet accessible IP address) and one is local (connected to my
local net).

What is the best way to configure the DNS in this box such that all
the computers that are local (on our network) hit it using the local
192.168.0.whatever IP address and when outside the network (on the
internet) use the other IP but both are named the same (ie,
mymachine.mydomain.com).
I know I can create 2 A records but this seems to broadcast the
192.168 IP on the internet which is not really what I want.

Any ideas?

Thanks!
Jon
Click to expand...

Unfortunately, if you want to host your domain name on the Internet, which
means hosting public IPs, a separate DNS server is required, one for the
internal, and one for the external. Public and private data cannot coexist
on the same server.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In
Jon Glazer said:
I have a machine with 2 nics in it. One nic is external
(ie, has an internet accessible IP address) and one is
local (connected to my local net).

What is the best way to configure the DNS in this box
such that all the computers that are local (on our
network) hit it using the local 192.168.0.whatever IP
address and when outside the network (on the internet)
use the other IP but both are named the same (ie,
mymachine.mydomain.com).

I know I can create 2 A records but this seems to
broadcast the 192.168 IP on the internet which is not
really what I want.
Click to expand...

There is _no_ reliable way to do this on one MS DNS server. You will need
two DNS servers to accomplish this. Set one up as a public DNS publishing
only records with public IPs and one internal DNS publishing only private
IPs.
 
Someone should also mention that this is a HUGE hole in your security and
should not be done. Put it on the outside of your router/ firewall and
always hit it as an external address, or put it on the inside and use a
static NAT to allow access on specific ports from the Internet.

Even the cheapo DSL routers/ firewalls at best buy can do static NAT.
Consider that as your best option.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services
 
I'd say the public interface should have "register this connection in dns"
disabled along with netbios over tcp/ip disabled. Your internal users have
no need of the external address. The next question is what is the function
of the external NIC?

Lee
 
I fail to grasp the "HUGE security hole" aspect of this configuration from
DNS perspective. Considering that he made no mention of this computer's
functions, why do you think it creates a hole?

--


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
In
Lee said:
I'd say the public interface should have "register this connection in
dns" disabled along with netbios over tcp/ip disabled. Your internal
users have no need of the external address. The next question is
what is the function of the external NIC?

Lee
Click to expand...

If a server is a DNS server, it doesn't matter if you unselect that checkbox
to not register. It will still regsiter to identify itself within DNS as a
DNS server. To stop a DNS server from registering itself requires a register
change.

Ace
 
In
Ryan Hanisco said:
Someone should also mention that this is a HUGE hole in your security
and should not be done. Put it on the outside of your router/
firewall and always hit it as an external address, or put it on the
inside and use a static NAT to allow access on specific ports from
the Internet.

Even the cheapo DSL routers/ firewalls at best buy can do static NAT.
Consider that as your best option.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services
Click to expand...

But as was mentioned, either way it's done, it still requires a separate DNS
server for public data, preferably a standalone machine with extraneous
services shut off. Keep in mind, the registrars requires two name servers to
be registered per domain, so in this case, NAT cannot handle more than one
IP per port (other than some devices, ISA or PIX, have capabilities of
handling multiple internal HTTP servers by hostheader). But that doesn't
count for DNS.

..Ace
 
In
Deji Akomolafe said:
I fail to grasp the "HUGE security hole" aspect of this configuration
from DNS perspective. Considering that he made no mention of this
computer's functions, why do you think it creates a hole?
Click to expand...

I agree. I don't see a security issue here.

Ace
 
Back
Top