cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
999
Views
0
Helpful
3
Replies

DNS with NAT

redouane43
Level 1
Level 1

Hello

I am an ISP

I use nat in cisco routers.

my DNS server have private addresse (192.168.0.1)

il have ip nat static addresse for translation (193.41.164.1).

I have a Mail server IL (192.168.0.6)

IG (193.41.146.6)

my question is : if some one in the internet try to access my mail server.

it request my DNS server for the mail address.

what is the response delivred by the DNS.

is it 192.168.0.6

or 193.41.146.6

in my DNS mx point to 192.168.0.6

in the router I have ip nat inside static 192.168.0.6 193.41.146.6

tanks you for help me.

3 Replies 3

shabib.syed
Level 1
Level 1

here is the thing...on ur DNS all the A records will be for global ips not private ips. If some 1 from outside comes to ur DNS to c MX record it should c a global ip. Now for internal users there is two things u can do either use a host file on each machine so everytime it tries to go to mailserver it should come with private ip or put nother internal dns and have the host names with local ip addresses. u can make this internal dns as forwarder only so for all internal user this is the only dns server , even to go out. and external dns with global ip mapping i.e address records being only for outside users. that is how i m doing on my network. if there is ne better way guyz let me know...but it works for me

efb
Level 1
Level 1

Hope you dont have too many answers already.

If you use "standard" BIND 8 or alike DNS, I suggest

you use TWO DNS servers, one for the world outside

with your public addresses, one for the world inside

with your RFC1918 (unroutable) addresses.

You may chose to use special hybrid DNS servers but

at this time, they may cause you more work than you

really want to do. To abide by the internet policy

recommendations (web search RFC1918, etc) best that

you DO NOT make your private IPs accessable by DNS

in the public network.

B/w Everett

jkirby
Level 1
Level 1

As of BIND 9.0 (and I think 9.1.1rc1 was released a day or so ago) you can do this with one DNS server and multiple "views". You can make an inside "view" and and outside "view". Then using pretyy simple ACL syntax, you define which address spaces see which view. You can then make all your internal addresses see the inside view and everyone else see the outside view.

Of course, we do our split DNS the old 2 server way for other reasons, but if you only have one machine to spare, this is a good option.