[Dshield] OT dynamic IP

Alan Frayer afrayer at frayernet.com
Wed Mar 24 13:50:02 GMT 2004


Assuming the moderation I received on content type was for HTML in the
content, I'll try this again:

On Tue, 2004-03-23 at 22:00, Al Reust wrote:

> At 09:45 AM 3/23/2004 -0500, you wrote:
> >That's actually an interesting idea, but doesn't it cost you the
> >firewall benefits of NATting? I mean, if the DNS record now shows hosts
> >in the private side of the router (and this is what you're suggesting,
> >right?), can't someone access those hosts by their DNS name? Or does the
> >fact that the addresses attached to those DNS names are still unroutable
> >addresses leave them protected?
> 
> I did not ask to have host/cname records created for www or ftp however 
> foobar.com resolves to my external IP and the router through "port 
> forwarding" handles the request according to the port. In that case NAT 
> works. Yes my Firewall is at the front! My private IP space is still 
> "private" other than the "ports" I open. No, hostnames are not exposed.
> 
> The NetGear Router has port forwarding for port 21 (and PASV ports) to one 
> fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the 
> translation for those protocol streams. Based on foobar.com
> 
> While I do not currently have an MTA running. I have in the past had one 
> running in the past. Port 25 and 110 were forwarded to the correct Nat'd 
> IP. It worked.
This starts me thinking...

> >I had wondered how I might apply proper host names to PCs in my private
> >network when the domain name, web server, and e-mail server I use is
> >hosted outside the network.
> 
> I have to think about this, this is an interesting puzzle. Most cheap 
> routers (NAT) can not handle resolving and/or connections to specific 
> hostnames.  The cheat in the past (internal/external) was either LMHosts or 
> the Host files in the OS (internal). This provided the "correct" 
> IP/hostname to look for before DNS queries would occur, it also covered 
> other weaknesses that M$ did not "address". This still does not solve 
> hostname DNS specific issues, NAT can not address those issues.
> 
> If you had a low end Cisco router and a fixed IP it could be done. You 
> could then possibly "combine" (for lack a better word at the moment) DNS 
> records, but then you would have to have the co-operation of those that 
> hold the primary DNS. This is not zone transfers, but request forwarding 
> for DNS lookup. The Dynamic DNS service would host the primary record 
> (foobar.com) and forward lookup requests to the fixed IP 
> (machine1.foobar.com). That would be passed to your internal DNS to resolve 
> the host name and reverse lookups.
> 
> No it can not be a Nat'd router.
> 
> "DHCP/Nat" was not designed to handle translating and returning those 
> lookups. You can get away with a some things (port based) and not others. 
> You can not get away with it on a cheap router.

Okay, you cannot put a secondary DNS inside your private side, with the
primary public, but couldn't you create a subdomain of, say,
housenet.foobar.com with the primary for THAT being on the inside of the
NAT'd firewall? Then one might name a PC critter.housenet.foobar.com and
only get in trouble with fumble-fingered typing.

Where is the flaw in this? There has to be one, since I'm so good at
missing them! ;-)



________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 
 




More information about the list mailing list