[Dshield] OT dynamic IP
afrayer at frayernet.com
Wed Mar 24 13:50:02 GMT 2004
Assuming the moderation I received on content type was for HTML in the
content, I'll try this again:
On Tue, 2004-03-23 at 22:00, Al Reust wrote:
> At 09:45 AM 3/23/2004 -0500, you wrote:
> >That's actually an interesting idea, but doesn't it cost you the
> >firewall benefits of NATting? I mean, if the DNS record now shows hosts
> >in the private side of the router (and this is what you're suggesting,
> >right?), can't someone access those hosts by their DNS name? Or does the
> >fact that the addresses attached to those DNS names are still unroutable
> >addresses leave them protected?
> I did not ask to have host/cname records created for www or ftp however
> foobar.com resolves to my external IP and the router through "port
> forwarding" handles the request according to the port. In that case NAT
> works. Yes my Firewall is at the front! My private IP space is still
> "private" other than the "ports" I open. No, hostnames are not exposed.
> The NetGear Router has port forwarding for port 21 (and PASV ports) to one
> fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the
> translation for those protocol streams. Based on foobar.com
> While I do not currently have an MTA running. I have in the past had one
> running in the past. Port 25 and 110 were forwarded to the correct Nat'd
> IP. It worked.
This starts me thinking...
> >I had wondered how I might apply proper host names to PCs in my private
> >network when the domain name, web server, and e-mail server I use is
> >hosted outside the network.
> I have to think about this, this is an interesting puzzle. Most cheap
> routers (NAT) can not handle resolving and/or connections to specific
> hostnames. The cheat in the past (internal/external) was either LMHosts or
> the Host files in the OS (internal). This provided the "correct"
> IP/hostname to look for before DNS queries would occur, it also covered
> other weaknesses that M$ did not "address". This still does not solve
> hostname DNS specific issues, NAT can not address those issues.
> If you had a low end Cisco router and a fixed IP it could be done. You
> could then possibly "combine" (for lack a better word at the moment) DNS
> records, but then you would have to have the co-operation of those that
> hold the primary DNS. This is not zone transfers, but request forwarding
> for DNS lookup. The Dynamic DNS service would host the primary record
> (foobar.com) and forward lookup requests to the fixed IP
> (machine1.foobar.com). That would be passed to your internal DNS to resolve
> the host name and reverse lookups.
> No it can not be a Nat'd router.
> "DHCP/Nat" was not designed to handle translating and returning those
> lookups. You can get away with a some things (port based) and not others.
> You can not get away with it on a cheap router.
Okay, you cannot put a secondary DNS inside your private side, with the
primary public, but couldn't you create a subdomain of, say,
housenet.foobar.com with the primary for THAT being on the inside of the
NAT'd firewall? Then one might name a PC critter.housenet.foobar.com and
only get in trouble with fumble-fingered typing.
Where is the flaw in this? There has to be one, since I'm so good at
missing them! ;-)
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org
More information about the list