[Dshield] OT dynamic IP

Al Reust areust at comcast.net
Wed Mar 24 03:00:38 GMT 2004


Hello Alan et al

I look at this and started thinking even more. How far can you expand a 
"broadband connection" and how mad would they be if you did? And You got 
Caught?

There are many things that "you" can do, it only takes your time to figure 
it out. While I know that you understand, others will see things they may 
not have seen before. See comments below.

At 09:45 AM 3/23/2004 -0500, you wrote:
>On Mon, 2004-03-22 at 20:12, Al Reust wrote:
>
>
> > The one that I purchased is by RhinoSoft, DNS4me
> >
> > http://www.dns4me.com/
> >
> > It has been running for over a year now with no problems.
> >
> > For those that do not know the client program does, a trace back to the
> > server and registers the IP on the exterior of your network (DHCP address
> > on my router). Their service then host DNS for the "chosen name/IP." In my
> > case my IIS box is one Nat'd IP and my FTP server is on another Nat'd IP.
> >
> > Should I desire I could register a domain name and allow them to host the
> > first DNS server. So with the correct Dynamic DNS service you could host
> > your own domain as mentioned above.
>
>
>That's actually an interesting idea, but doesn't it cost you the
>firewall benefits of NATting? I mean, if the DNS record now shows hosts
>in the private side of the router (and this is what you're suggesting,
>right?), can't someone access those hosts by their DNS name? Or does the
>fact that the addresses attached to those DNS names are still unroutable
>addresses leave them protected?

I did not ask to have host/cname records created for www or ftp however 
foobar.com resolves to my external IP and the router through "port 
forwarding" handles the request according to the port. In that case NAT 
works. Yes my Firewall is at the front! My private IP space is still 
"private" other than the "ports" I open. No, hostnames are not exposed.

The NetGear Router has port forwarding for port 21 (and PASV ports) to one 
fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the 
translation for those protocol streams. Based on foobar.com

While I do not currently have an MTA running. I have in the past had one 
running in the past. Port 25 and 110 were forwarded to the correct Nat'd 
IP. It worked.


>I had wondered how I might apply proper host names to PCs in my private
>network when the domain name, web server, and e-mail server I use is
>hosted outside the network.

I have to think about this, this is an interesting puzzle. Most cheap 
routers (NAT) can not handle resolving and/or connections to specific 
hostnames.  The cheat in the past (internal/external) was either LMHosts or 
the Host files in the OS (internal). This provided the "correct" 
IP/hostname to look for before DNS queries would occur, it also covered 
other weaknesses that M$ did not "address". This still does not solve 
hostname DNS specific issues, NAT can not address those issues.

If you had a low end Cisco router and a fixed IP it could be done. You 
could then possibly "combine" (for lack a better word at the moment) DNS 
records, but then you would have to have the co-operation of those that 
hold the primary DNS. This is not zone transfers, but request forwarding 
for DNS lookup. The Dynamic DNS service would host the primary record 
(foobar.com) and forward lookup requests to the fixed IP 
(machine1.foobar.com). That would be passed to your internal DNS to resolve 
the host name and reverse lookups.

No it can not be a Nat'd router.

"DHCP/Nat" was not designed to handle translating and returning those 
lookups. You can get away with a some things (port based) and not others. 
You can not get away with it on a cheap router.

More:
So when My Linksys Died and their support was no support (offshore), and 
because the wife telecommutes and said she had to be Online NOW! I stopped 
by Best Buy found an open NetGear box that said "firewall" and got $40.00 
worth of rebates.. For a total cost of about $19.95. No, it will not allow 
me to resolve host names. It will allows me to resolve one specific 
service/port to a specific Nat'd IP. It will allows me to block ports that 
I do not want on my private network. No, I can not host my secondary DNS 
server inside NAT.

While I have considered moving my personal domain "in house," I could do 
that. I ask myself why should I do that?

My current cost of hosting is about $15.00 annually (web, email and ftp), I 
have to think of the amount of time that would be required to check 
everything.

Currently:
   They fight the Viruses..
   They update the IIS box.
   They have a Big Pipe..
   I can go on vacation.
   I can touch my email from any Internet connection.

I can then play with what the other things that I need to understand or 
play with on a per port basis.

My home/office area is consumed with 9 computers and a Mac.. My Insurance 
company hates me and Charges, My Utility company Loves me and Charges.. The 
IRS Loves me and still takes my money anyway.

I think that is the bottom line. I could do the web, email and ftp, but 
then I would have no test/play area.. Not without more expense. Why would I 
want to take on another 100+ plus hours a year that I would not be paid 
for? That is for "you" to decide why to move... The only answer is because 
"you" can..





>________________________________________________________________________
>
>Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
>Member: Independent Consultants Association (ICA)
>Consultants - FREE Directory Listing - http://www.ica-assn.org
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


R/

Al




More information about the list mailing list