[Dshield] OT dynamic IP

Al Reust areust at comcast.net
Thu Mar 25 06:55:32 GMT 2004


Alan et al

What I understand of your last question is "Can I run my Domain behind the 
NAT router?" The answer is Yes you can, everything inside will be 
"private"  with exception of services/ports you choose to publicly 
publish.  More specifics below, this is all an exercise in 
thought/possibilities.. Every now and then we all need one of those, each 
one of those exercises are a new learning experience. We need to look at 
the possibilities to expand "our" horizons, no someone can always poke 
holes in what we thought was right. We are neither right or wrong but do 
not have the answer for the moment. Over the years I have had the help of 
others to "require" me to learn with a single question. With the right 
attitude we can learn.. How we respond makes the difference.


At 08:50 AM 3/24/2004 -0500, you wrote:
>On Tue, 2004-03-23 at 22:00, Al Reust wrote:
>
> > At 09:45 AM 3/23/2004 -0500, you wrote:
> > >That's actually an interesting idea, but doesn't it cost you the
> > >firewall benefits of NATting? I mean, if the DNS record now shows hosts
> > >in the private side of the router (and this is what you're suggesting,
> > >right?), can't someone access those hosts by their DNS name? Or does the
> > >fact that the addresses attached to those DNS names are still unroutable
> > >addresses leave them protected?
> >
> > I did not ask to have host/cname records created for www or ftp however
> > foobar.com resolves to my external IP and the router through "port
> > forwarding" handles the request according to the port. In that case NAT
> > works. Yes my Firewall is at the front! My private IP space is still
> > "private" other than the "ports" I open. No, hostnames are not exposed.
> >
> > The NetGear Router has port forwarding for port 21 (and PASV ports) to one
> > fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the
> > translation for those protocol streams. Based on foobar.com
> >
> > While I do not currently have an MTA running. I have in the past had one
> > running in the past. Port 25 and 110 were forwarded to the correct Nat'd
> > IP. It worked.
>This starts me thinking...
>
> > >I had wondered how I might apply proper host names to PCs in my private
> > >network when the domain name, web server, and e-mail server I use is
> > >hosted outside the network.
> >
> > I have to think about this, this is an interesting puzzle. Most cheap
> > routers (NAT) can not handle resolving and/or connections to specific
> > hostnames.  The cheat in the past (internal/external) was either 
> LMHosts or
> > the Host files in the OS (internal). This provided the "correct"
> > IP/hostname to look for before DNS queries would occur, it also covered
> > other weaknesses that M$ did not "address". This still does not solve
> > hostname DNS specific issues, NAT can not address those issues.
> >
> > If you had a low end Cisco router and a fixed IP it could be done. You
> > could then possibly "combine" (for lack a better word at the moment) DNS
> > records, but then you would have to have the co-operation of those that
> > hold the primary DNS. This is not zone transfers, but request forwarding
> > for DNS lookup. The Dynamic DNS service would host the primary record
> > (foobar.com) and forward lookup requests to the fixed IP
> > (machine1.foobar.com). That would be passed to your internal DNS to 
> resolve
> > the host name and reverse lookups.
> >
> > No it can not be a Nat'd router.
> >
> > "DHCP/Nat" was not designed to handle translating and returning those
> > lookups. You can get away with a some things (port based) and not others.
> > You can not get away with it on a cheap router.
>
>Okay, you cannot put a secondary DNS inside your private side, with the
>primary public, but couldn't you create a subdomain of, say,
>housenet.foobar.com with the primary for THAT being on the inside of the
>NAT'd firewall? Then one might name a PC critter.housenet.foobar.com and
>only get in trouble with fumble-fingered typing.

Behind NAT you can create what you desire. You can host your own Domain, 
DNS and Internally things will resolve. Nat can allow machines to access 
the Internet. NAT can host services/ports that are designated. If you want 
it routable you have to change the routing device.


>Where is the flaw in this? There has to be one, since I'm so good at
>missing them! ;-)

If you want WAN then the devices that you choose are the "hardware" key.. 
You know that.. This whole exercise is education and point of view, it 
makes "us" think.

When we start working at the Home/Office we can recreate many things and 
the telephone does not ring; except for a Child that expects us to answer 
the phone because they are too lazy to get off their butt. We can have a 
cold beverage and play, many stress things are removed (except for when to 
go to bed).


Working example: (Yes, I tried to do this with less than two pages of 
examples or explanation)

My Office lab is a valid registered domain (subdomain.foobar.com).  The 
Primary DNS has several host records (with reverse lookup) which point to 
my Firewall (ISA 2000) External Fixed IP. Web, mail etc specific 
services/ports are configured (and allowed with a destination specific set) 
to correct internal IP.

The ISA Local Address Table (LAT) does the translation (routing) for the 
registered IP's (IANA non routable IP's). The ISA box, also checks to 
insure the specific Service/Port is allowed (firewall). So Yes this is 
service/port based very similar to NAT (yes that is a broad statement).

Inside, I have Active Directory (with separate DNS), thus 
subdomain.foobar.com resolves externally and internally within my 
registered domain. I  can construct other subdomains ie 
childdomain.subdomain.foobar.com which only resolves internally. The 
subdomains are validated through a Local Domain Table (ISA LDT) for 
Internet traffic routing.

The disadvantage is that any machine(s), due to the disconnected DNS and 
NetBios over TCP/IP being disabled. If I want pc1.subdomain.foobar.com to 
resolve it would have to have the appropriate host record(s) entries in the 
internal DNS. Yes this is similar to a Nix environment, Browse what network 
neighborhood... It is still private, other than registered external 
hostnames, it does not leak...

ie
a query for subdomain.foobar.com - The authoritive answer 
(subdomain.foobar.com) is pointed at my External IP to find a specific host 
record.
thus the ISA LAT handles the protocol/service translation. The ISA 
Firewall, insures it is "authorized."

or

a query for pc1.subdomain.foobar.com or childdomain.subdomain.foobar.com 
would be forwarded to my internal DNS for resolution, and Authorized by the 
LDT for Internet access internally.

Any machine that has an IP authorized within the LAT can transmit/receive - 
to/from the Internet.

My Internal DNS is "not" set for Zone Transfers (as I sometimes have people 
working on projects that "may not" make correct DNS entries), then it would 
only affect "my" DNS not the upstream Primary. Normally that results in 
handing them "DNS and Bind" which sits on top of the DNS server. After they 
can answers the questions about what the entry is and what it could cause, 
are they allowed to make additional entries. At times, I have other test 
domains that I do not want published. I have to manually enter host or 
other type records that resolve internally.

Side Note:
I have thought about putting the Secondary DNS in a DMZ (it would be then 
external and untrusted, but would have an internal address and has an 
address in LAT) that would potentially allow individual host lookups and 
then doing Zone transfers through the ISA to the internal DNS. I may be 
able to resolve single host names. I would have to have the secondary DNS 
registered with the Primary. I may have to try that someday just to see 
what will happen.. M$ sez I have to handle "routing" manually. Otherwise it 
is back to the cmd prompt and then route add xxx.xxx.xxx.xxx and host 
tables etc... Those entries would have to be bound to the External IP. No 
ISA is not a router, it does appear to be expanded NAT (once again broad 
terms).


Earlier example:
Back in the early NT 4.0 days, I did play with "routing and remote access." 
I could through use of the Host Table and Routing attach to remote devices. 
I could from my home office print to my office HP LaserJet. It was a 
routing nightmare and NT 4.0 which had various problems that would tended 
to glitch at the wrong moment (cached routes corrupting). You can get an 
idea from a "cmd" prompt "route print /?" or  type "route print" to see 
what routes are active.

So while our Cisco guy has not made a comment about the specific Cisco 
router that you would fill the real need. A quick peek at Cisco and the 
entry level routers for what you may want, would be the 1700 Series.
http://www.cisco.com/en/US/products/hw/routers/ps221/products_data_sheet09186a00801c749d.html

Pricewatch shows starting at about $600 for the 1720 that is with the 4 
port WAN card. Yes you would need a Fixed IP, then the world is your 
oyster. No my NetGear does not compare, but with NAT it can do what I need 
it to do.

R/

Al




More information about the list mailing list