DNS/Firewall prob

[danmtslatter]

We have a ‘no nat’ router and a firewall doing nat for us. All our machines inside our network are statically assigned IP’s. Our webserver can be seen from the outside no problems as there is a route open on port 80 for that machine from inside the network… However, if we try to view the webserver from inside the firewall using its external address, the browser times out. Our ISP and Firewall vendors both conccur that we either need to use local DNS or a HOSTS file to locally resolve the name. Although fairly techy and competent, this seems a bit of a grey area for us as no one seems to be able to shed any real light on our problem. Any ideas anyone? Thank you anyone in advance! Dan…

[Camelot]

Your problem is a common one.

It stems from the fact that your router/firewall/whatever is not permitting traffic from the internal network to access the NAT addresses, a term referred to as ‘nat bounceback’.

Typically the router performs NAT translation on any traffic coming into the external interface and trying to get to an internal resource (such as your server). To do this the router translates the external IP address to the internal one and forwards the packet.
However, this only happens on traffic coming into the external interface. If the traffic comes from the internal interface, the router chokes.

The commonest solution is, as you’ve been advised, to run either internal hosts or DNS.

In this setup all your machines use either a hosts table or a separate DNS server that is configured with your internal network addresses.

For example, if your real-world address is 20.30.40.1 and your web server is running on 192.168.1.1, your public DNS server has an entry for ‘www.yourdomain.com’ pointing to 20.30.40.1
When you setup your network using a private DNS server, you define http://www.yourdomain.com as being at 192.168.1.1.
You then point all your internal systems to use this DNS server for name resolution rather than your external (ISPs?) name server. When users then lookup http://www.yourdomain.com they get the 192.168.1.1 address and can access the server without having to hit the router.

Since only your internal systems use this DNS server, it won’t affect anyone else’s ability to get to your web server

If configuring DNS is too much for you, you can achieve the same thing via hosts files. Most systems allow you to build a table of hostnames and IP addresses which take precedence over DNS. In this scenario you essentially tell each machine that http://www.yourdomain.com is at 192.168.1.1 regardless of what any DNS server might say.
To set this up on Mac OS X systems, use NetInfo Manager to create a number of ‘machine’ records, one for each internal host. Enter the host name and IP address for each machine and you’re all set.
Windows and other UNIX systems use a text file-based system (/etc/hosts on most unix systems) that does the same thing.

The advantage of the hosts system is that you don’t need to run a DNS server. However, administration becomes a nightmare if you have a large number of systems and/or update the addresses regularly – you have to walk through each machine to make the changes [*] (unless you’re running a central authentication system that can push this content for you, but that’s another issue)

Installing a DNS server isn’t too hard and is a useful skill to know.

[size=9:c9520c1d14]* – Side note. In the dark, early days of the internet, this is exactly how the hostnames were updated… files were physically (via disk) passed around the various establishments that were connected to the ‘net’ and each site would apply their recent changes to the file before sending it on to the next site. This quickly moved to a centralized system where each site sent their changes to one site that then distributed the file to all sites (again, all via disk).
This system was ultimately replaced by the electronic version we now know as DNS.
Could you imagine every machine on the internet holding a text file of all internet hosts, and users having to manually update their files (via disk) every week? ::shudder:: :)[/size:c9520c1d14]

[sbaumeister]

Okay, I think I understand everything so far as you have explained to danmtslatter, but I have an additional question regarding the setup of the Internal DNS Server.

I guess I should start by saying I already have a setup (which I inherited when I started working for the school district) where we have a Firewall providing NAT for us. There is both an internal and an external DNS server setup. Prior to my arrival, they had both DNS servers listed in the network settings of all machines. The problem I found is that I was unable to hit our mail server using the DNS name. We had to set almost everyone up using the IP Address for the mail server. While investigating this issue, I discovered that if I only used our internal DNS Server, I was able to get the mail server by DNS name about 85% of the time.

So, what I am wondering is if anyone can tell me, when setting up an Internal DNS server, should the internal server include an NS record for the external DNS server? I am wondering if this could be causing my continuing problems locating my mail server by it’s DNS name.

[Author]

Posts