[vox-tech] tinydns behind NAT firewall?

Shawn P. Neugebauer vox-tech@lists.lugod.org
Sun, 9 Feb 2003 13:35:03 -0800


On Sunday 09 February 2003 11:37 am, Samuel Merritt wrote:
> On Sun, Feb 09, 2003 at 11:24:51AM -0800, Shawn P. Neugebauer wrote:
> > Well, I'm finally getting around to setting up my own DNS server/cache,
> > and I've run into a problem.
> >
> > Is it generally possible to run tinydns behind a (dedicated) NAT firewall
> > (a netgear RP114)?  The problem is that the name server wants to run
> > on an interface having the published name server IP address, but, of
> > course, it's behind a firewall masquerading as that IP address (thus,
> > the firewall is doing translation, so DNS queries could never make it to
> > the right interface).
>
> Any decent NAT box will have a way to forward packets to internal
> machines. You should be able to set up a rule that packets destined for
> the NAT box's external interface, port 53, type UDP, get forwarded to
> the DNS server.

Yes, it does have such forwarding capabilities, and I use them in a variety
of ways.  The problem here isn't the forwarding--that's easy and works
great--the problem is the forwarded packets get sent to the
internal machine using the *internal* IP address--and tinydns wants to
run on an interface having the *external* IP address (IP aliasing is not
the answer here, at least not by itself).

If this is at all possible, it has to involve some type of non-standard
tinydns configuration, at least, and I'm hopeful that on the many 
tinydns users on the list will have a clue... :)

shawn.