#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    2
    Rep Power
    0

    DNS and NAT... Sorry.


    I am sure this has been answered before... I just exceeded my 3-hour limit on head-banging. I am looking for a sense of direction, as I am sure I can fill in the blanks.

    I have a working DNS Server, where I can resolve anyname.mydomain.org to any desired ip address. Nameservers from mydomain.org are correctly pointed to my DNS server. So now, I want to be able to route the traffic to a specific machine on the LAN based on my DNS server's resolution. The server has 2 ethernet cards, one listening to WAN traffic and the other to LAN traffic. Everything works...

    I want for anyone on the outside (WAN) to be able to ping (or whatever) anymachine.mydomain.org and the traffic to be routed through the DNS server to the actual machine. More concretely, using bind9, I have associated machine1.mydomain.org to 172.25.253.182. So, from the LAN, if I ping machine1.mydomain.org I get the expected result. However, if I do the same thing from the WAN, then my request is resolved also to 172.25.253.182 (which usually does not exist). I somehow want it resolved to machine1.mydomain.org... I've been fiddling iptables without success... I don't seem to get the hang on how to route the "output" of bind through iptables...

    Suggestions are appreciated. Thanks for your time!

    -zbot
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    If you want the records that the internet gets to vary from the records your internal network gets, this can be done via the views clause in BIND. It would be easier to rename the internal network and just have it be a different zone, but if it must be the same, you can use views.

    http://www.zytrax.com/books/dns/ch7/view.html
    http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html

    Is that what you are trying to do? Or something else?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2011
    Posts
    2
    Rep Power
    0
    Hey, I appreciate the help.

    The best way to explain it is that I wan traffic to be routed as follows:

    You -> ... -> GoDaddy nameserver -> mydomain.org => machine1.mydomain.org

    Where "->" is WAN and "=>" is LAN.

    The WAN side works, so no worries there.
    Once traffic reaches the machine hosting mydomain.org (running apache, bind9, etc.) it _knows_ what the LAN address is of "machine1" (i use cron and nmap)...
    "machine1" does not use mydomain.org as a DHCP Server and/or Gateway...

    From the machine I'm writing, for example (inet addr:131.X.X.X):
    $ ping mydomaing.org
    PING 128.Y.Y.Y (128.Y.Y.Y) 56(84) bytes of data.
    64 bytes from 128.Y.Y.Y: icmp_seq=1 ttl=56 time=27.9 ms
    $ ping machine1.mydomaing.org
    PING machine1.mydomaing.org (192.168.1.100) 56(84) bytes of data.

    ... needless to say that all packets are lost since I am on the WAN side (at 131.X.X.X).

    Long story short, is there a way where I can "ping machine1.mydomaing.org" and the traffic is routed behind the scenes to machine1.mydomaing.org 192.168.1.100, but someway I see the response as if directly coming from mydomain.org (at 128.Y.Y.Y) where DNS is doing the reolving?
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    Well you're essentially asking for NAT or PAT. It depends on which would better suit your needs. However if the machine1 doesn't use the server as a gateway, you might be out of luck. You could get the mydomain.org server to forward data to machine1, however if machine1 has no affiliation with the server as it's gateway, the information will probably be lost. Either way, this doesn't seem to have anything to do with DNS any more if the DNS server is functioning properly.

    My only experience with NAT and PAT are on Cisco and Juniper equipment so really I'm not too good with doing it in iptables. There may be a way to do what you want but it sounds like you may need to change your topology. Were you wanting to route all traffic to the machine1 that hits the server or only certain ports/protocols? I'm assuming certain ports since you have BIND and Apache running on the server. You may want to look in to setting up port forwarding and PAT in Linux.

IMN logo majestic logo threadwatch logo seochat tools logo