[Dshield] OT dynamic IP
areust at comcast.net
Thu Mar 25 06:55:32 GMT 2004
Alan et al
What I understand of your last question is "Can I run my Domain behind the
NAT router?" The answer is Yes you can, everything inside will be
"private" with exception of services/ports you choose to publicly
publish. More specifics below, this is all an exercise in
thought/possibilities.. Every now and then we all need one of those, each
one of those exercises are a new learning experience. We need to look at
the possibilities to expand "our" horizons, no someone can always poke
holes in what we thought was right. We are neither right or wrong but do
not have the answer for the moment. Over the years I have had the help of
others to "require" me to learn with a single question. With the right
attitude we can learn.. How we respond makes the difference.
At 08:50 AM 3/24/2004 -0500, you wrote:
>On Tue, 2004-03-23 at 22:00, Al Reust wrote:
> > At 09:45 AM 3/23/2004 -0500, you wrote:
> > >That's actually an interesting idea, but doesn't it cost you the
> > >firewall benefits of NATting? I mean, if the DNS record now shows hosts
> > >in the private side of the router (and this is what you're suggesting,
> > >right?), can't someone access those hosts by their DNS name? Or does the
> > >fact that the addresses attached to those DNS names are still unroutable
> > >addresses leave them protected?
> > I did not ask to have host/cname records created for www or ftp however
> > foobar.com resolves to my external IP and the router through "port
> > forwarding" handles the request according to the port. In that case NAT
> > works. Yes my Firewall is at the front! My private IP space is still
> > "private" other than the "ports" I open. No, hostnames are not exposed.
> > The NetGear Router has port forwarding for port 21 (and PASV ports) to one
> > fixed IP 192.168.0.6 and port 80 to fixed IP 192.168.0.7 NAT handles the
> > translation for those protocol streams. Based on foobar.com
> > While I do not currently have an MTA running. I have in the past had one
> > running in the past. Port 25 and 110 were forwarded to the correct Nat'd
> > IP. It worked.
>This starts me thinking...
> > >I had wondered how I might apply proper host names to PCs in my private
> > >network when the domain name, web server, and e-mail server I use is
> > >hosted outside the network.
> > I have to think about this, this is an interesting puzzle. Most cheap
> > routers (NAT) can not handle resolving and/or connections to specific
> > hostnames. The cheat in the past (internal/external) was either
> LMHosts or
> > the Host files in the OS (internal). This provided the "correct"
> > IP/hostname to look for before DNS queries would occur, it also covered
> > other weaknesses that M$ did not "address". This still does not solve
> > hostname DNS specific issues, NAT can not address those issues.
> > If you had a low end Cisco router and a fixed IP it could be done. You
> > could then possibly "combine" (for lack a better word at the moment) DNS
> > records, but then you would have to have the co-operation of those that
> > hold the primary DNS. This is not zone transfers, but request forwarding
> > for DNS lookup. The Dynamic DNS service would host the primary record
> > (foobar.com) and forward lookup requests to the fixed IP
> > (machine1.foobar.com). That would be passed to your internal DNS to
> > the host name and reverse lookups.
> > No it can not be a Nat'd router.
> > "DHCP/Nat" was not designed to handle translating and returning those
> > lookups. You can get away with a some things (port based) and not others.
> > You can not get away with it on a cheap router.
>Okay, you cannot put a secondary DNS inside your private side, with the
>primary public, but couldn't you create a subdomain of, say,
>housenet.foobar.com with the primary for THAT being on the inside of the
>NAT'd firewall? Then one might name a PC critter.housenet.foobar.com and
>only get in trouble with fumble-fingered typing.
Behind NAT you can create what you desire. You can host your own Domain,
DNS and Internally things will resolve. Nat can allow machines to access
the Internet. NAT can host services/ports that are designated. If you want
it routable you have to change the routing device.
>Where is the flaw in this? There has to be one, since I'm so good at
>missing them! ;-)
If you want WAN then the devices that you choose are the "hardware" key..
You know that.. This whole exercise is education and point of view, it
makes "us" think.
When we start working at the Home/Office we can recreate many things and
the telephone does not ring; except for a Child that expects us to answer
the phone because they are too lazy to get off their butt. We can have a
cold beverage and play, many stress things are removed (except for when to
go to bed).
Working example: (Yes, I tried to do this with less than two pages of
examples or explanation)
My Office lab is a valid registered domain (subdomain.foobar.com). The
Primary DNS has several host records (with reverse lookup) which point to
my Firewall (ISA 2000) External Fixed IP. Web, mail etc specific
services/ports are configured (and allowed with a destination specific set)
to correct internal IP.
The ISA Local Address Table (LAT) does the translation (routing) for the
registered IP's (IANA non routable IP's). The ISA box, also checks to
insure the specific Service/Port is allowed (firewall). So Yes this is
service/port based very similar to NAT (yes that is a broad statement).
Inside, I have Active Directory (with separate DNS), thus
subdomain.foobar.com resolves externally and internally within my
registered domain. I can construct other subdomains ie
childdomain.subdomain.foobar.com which only resolves internally. The
subdomains are validated through a Local Domain Table (ISA LDT) for
Internet traffic routing.
The disadvantage is that any machine(s), due to the disconnected DNS and
NetBios over TCP/IP being disabled. If I want pc1.subdomain.foobar.com to
resolve it would have to have the appropriate host record(s) entries in the
internal DNS. Yes this is similar to a Nix environment, Browse what network
neighborhood... It is still private, other than registered external
hostnames, it does not leak...
a query for subdomain.foobar.com - The authoritive answer
(subdomain.foobar.com) is pointed at my External IP to find a specific host
thus the ISA LAT handles the protocol/service translation. The ISA
Firewall, insures it is "authorized."
a query for pc1.subdomain.foobar.com or childdomain.subdomain.foobar.com
would be forwarded to my internal DNS for resolution, and Authorized by the
LDT for Internet access internally.
Any machine that has an IP authorized within the LAT can transmit/receive -
to/from the Internet.
My Internal DNS is "not" set for Zone Transfers (as I sometimes have people
working on projects that "may not" make correct DNS entries), then it would
only affect "my" DNS not the upstream Primary. Normally that results in
handing them "DNS and Bind" which sits on top of the DNS server. After they
can answers the questions about what the entry is and what it could cause,
are they allowed to make additional entries. At times, I have other test
domains that I do not want published. I have to manually enter host or
other type records that resolve internally.
I have thought about putting the Secondary DNS in a DMZ (it would be then
external and untrusted, but would have an internal address and has an
address in LAT) that would potentially allow individual host lookups and
then doing Zone transfers through the ISA to the internal DNS. I may be
able to resolve single host names. I would have to have the secondary DNS
registered with the Primary. I may have to try that someday just to see
what will happen.. M$ sez I have to handle "routing" manually. Otherwise it
is back to the cmd prompt and then route add xxx.xxx.xxx.xxx and host
tables etc... Those entries would have to be bound to the External IP. No
ISA is not a router, it does appear to be expanded NAT (once again broad
Back in the early NT 4.0 days, I did play with "routing and remote access."
I could through use of the Host Table and Routing attach to remote devices.
I could from my home office print to my office HP LaserJet. It was a
routing nightmare and NT 4.0 which had various problems that would tended
to glitch at the wrong moment (cached routes corrupting). You can get an
idea from a "cmd" prompt "route print /?" or type "route print" to see
what routes are active.
So while our Cisco guy has not made a comment about the specific Cisco
router that you would fill the real need. A quick peek at Cisco and the
entry level routers for what you may want, would be the 1700 Series.
Pricewatch shows starting at about $600 for the 1720 that is with the 4
port WAN card. Yes you would need a Fixed IP, then the world is your
oyster. No my NetGear does not compare, but with NAT it can do what I need
it to do.
More information about the list