Public dns behind firewall with NAT

  • Thread starter Thread starter will brook
  • Start date Start date
W

will brook

Hi

I am installing a primary and secondary dns server for
public requests for various domain names that we host. We
currently have a setup working, where the external IP
address of the dns servers are assigned to the machines
with no NAT.

However I now have a DMZ in place with two external
addresses:

217.116.192.18
217.116.192.19

these are then statically mapped to two intenal addresses:

10.10.1.18
10.10.1.19

When I test dns on this setup I can't get it to work. Is
it possible to have dns servers using NAT addresses, or do
I have to assign them their real IP addresses. Can someone
please tell me how to resolve this issue.

Thanks

Will Brook
 
Hi

I am installing a primary and secondary dns server for
public requests for various domain names that we host. We
currently have a setup working, where the external IP
address of the dns servers are assigned to the machines
with no NAT.

However I now have a DMZ in place with two external
addresses:

217.116.192.18
217.116.192.19

these are then statically mapped to two intenal addresses:

10.10.1.18
10.10.1.19

When I test dns on this setup I can't get it to work. Is
it possible to have dns servers using NAT addresses, or do
I have to assign them their real IP addresses. Can someone
please tell me how to resolve this issue.
Click to expand...

NAT works, though I'm of the opinion that you shouldn't use it for
Public DNS anyway. Obvious checks would be tracert, ping, etc. Plus
the ports being NAT'd.

Jeff
 
That should work. Before making a change at your registrar to update the
NSs for the domain, check your nat and dns by making directed queries to
those IPs using dig or nslookup (i.e. dig @217.116.192.18 www.somedomain.com
a )
 
I'm confident that the firewall configuration does work
because we've managed a domain transfer to an external
source. However the dns server doesn't accept nslookup
queries which are done outside of the firewall.

What I'm struggling to get my head round is if i've got a
local IP address which is NAT'd, do I then have to add
that address as a nameserver on each domain I create.
Surely if that IP address doesn't really exist I shouldn't
add it as a nameserver.

But if I then try removing that local (NAT'd) IP address
from the nameserver list of that domain I can't run
nslookup locally. Have you any suggestions?
 
Back
Top