[Dshield] OT dynamic IP
areust at comcast.net
Wed Mar 24 03:00:38 GMT 2004
Hello Alan et al
I look at this and started thinking even more. How far can you expand a
"broadband connection" and how mad would they be if you did? And You got
There are many things that "you" can do, it only takes your time to figure
it out. While I know that you understand, others will see things they may
not have seen before. See comments below.
At 09:45 AM 3/23/2004 -0500, you wrote:
>On Mon, 2004-03-22 at 20:12, Al Reust wrote:
> > The one that I purchased is by RhinoSoft, DNS4me
> > http://www.dns4me.com/
> > It has been running for over a year now with no problems.
> > For those that do not know the client program does, a trace back to the
> > server and registers the IP on the exterior of your network (DHCP address
> > on my router). Their service then host DNS for the "chosen name/IP." In my
> > case my IIS box is one Nat'd IP and my FTP server is on another Nat'd IP.
> > Should I desire I could register a domain name and allow them to host the
> > first DNS server. So with the correct Dynamic DNS service you could host
> > your own domain as mentioned above.
>That's actually an interesting idea, but doesn't it cost you the
>firewall benefits of NATting? I mean, if the DNS record now shows hosts
>in the private side of the router (and this is what you're suggesting,
>right?), can't someone access those hosts by their DNS name? Or does the
>fact that the addresses attached to those DNS names are still unroutable
>addresses leave them protected?
I did not ask to have host/cname records created for www or ftp however
foobar.com resolves to my external IP and the router through "port
forwarding" handles the request according to the port. In that case NAT
works. Yes my Firewall is at the front! My private IP space is still
"private" other than the "ports" I open. No, hostnames are not exposed.
The NetGear Router has port forwarding for port 21 (and PASV ports) to one
fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the
translation for those protocol streams. Based on foobar.com
While I do not currently have an MTA running. I have in the past had one
running in the past. Port 25 and 110 were forwarded to the correct Nat'd
IP. It worked.
>I had wondered how I might apply proper host names to PCs in my private
>network when the domain name, web server, and e-mail server I use is
>hosted outside the network.
I have to think about this, this is an interesting puzzle. Most cheap
routers (NAT) can not handle resolving and/or connections to specific
hostnames. The cheat in the past (internal/external) was either LMHosts or
the Host files in the OS (internal). This provided the "correct"
IP/hostname to look for before DNS queries would occur, it also covered
other weaknesses that M$ did not "address". This still does not solve
hostname DNS specific issues, NAT can not address those issues.
If you had a low end Cisco router and a fixed IP it could be done. You
could then possibly "combine" (for lack a better word at the moment) DNS
records, but then you would have to have the co-operation of those that
hold the primary DNS. This is not zone transfers, but request forwarding
for DNS lookup. The Dynamic DNS service would host the primary record
(foobar.com) and forward lookup requests to the fixed IP
(machine1.foobar.com). That would be passed to your internal DNS to resolve
the host name and reverse lookups.
No it can not be a Nat'd router.
"DHCP/Nat" was not designed to handle translating and returning those
lookups. You can get away with a some things (port based) and not others.
You can not get away with it on a cheap router.
So when My Linksys Died and their support was no support (offshore), and
because the wife telecommutes and said she had to be Online NOW! I stopped
by Best Buy found an open NetGear box that said "firewall" and got $40.00
worth of rebates.. For a total cost of about $19.95. No, it will not allow
me to resolve host names. It will allows me to resolve one specific
service/port to a specific Nat'd IP. It will allows me to block ports that
I do not want on my private network. No, I can not host my secondary DNS
server inside NAT.
While I have considered moving my personal domain "in house," I could do
that. I ask myself why should I do that?
My current cost of hosting is about $15.00 annually (web, email and ftp), I
have to think of the amount of time that would be required to check
They fight the Viruses..
They update the IIS box.
They have a Big Pipe..
I can go on vacation.
I can touch my email from any Internet connection.
I can then play with what the other things that I need to understand or
play with on a per port basis.
My home/office area is consumed with 9 computers and a Mac.. My Insurance
company hates me and Charges, My Utility company Loves me and Charges.. The
IRS Loves me and still takes my money anyway.
I think that is the bottom line. I could do the web, email and ftp, but
then I would have no test/play area.. Not without more expense. Why would I
want to take on another 100+ plus hours a year that I would not be paid
for? That is for "you" to decide why to move... The only answer is because
>Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
>Member: Independent Consultants Association (ICA)
>Consultants - FREE Directory Listing - http://www.ica-assn.org
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list