Tim, If you wish to provide authoritative DNS service from behind a NAT router, then with a Cisco the NAT code contains various ALGs (application level gateway I think) including one for DNS. This ALG translates A records, MX and PTR records where it can. IIRC if it can't then the response is not passed at all (which many people believe is a major issue). So if the DNS server is behind the same NAT boundary as the servers, all well and good, just use the private addresses in the DNS and they'll be translated. However if the DNS server is not behind the same NAT boundary as the servers, then you're stuffed. In DNS circles, the purists don't like all this because this technique is probably not possible to maintain for more complex DNS record types, and I believe it only does UDP, so I guess that it isn't "best practice". rgds Marc TXK
Tim Booth wrote: > > Out of curiosity, what is the "best practice" for someone who has a > DNS server on their private network with a private IP address? How would > one go about doing this with a router? Is it impossible? Is the "best > practice"/only possibly way to have the DNS server having a public IP > address (in a DMZ)? > > Kind Regards, > Tim Booth > MCDBA, CCNP, CCDP, CCIE written > ----------------------------------------- > Those who would give up essential liberty to purchase a little temporary > safety deserve neither liberty nor safety. > Benjamin Franklin, 1759 > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 13:16 > To: [EMAIL PROTECTED] > Subject: Re: DNS Request Redirection [7:35703] > > hhmmm..... > > as I understand the original question, each workstation in the network > in > question is hard coded for DNS. > > So, if for example, my machine is hard coded for DNS server > 207.126.96.162 > ( my ISP DNS server ) and I change ISP's, and make no changes to my > workstation, then any DNS request will have a destination address of > 207.126.96.162 > > The question, as I understand, if how to change that destination address > without making workstation visits. > > Policy routing can change next hop, but not destination address. NAT > outbound changes source address, not destination address. > > Unless there is a packet interceptor that takes all DNS requests, and > physically changes the destination address, the user has few options. > > Again, IF the former ISP does not restrict DNS requests to its own > address > space, i.e. accepts DNS requests from anywhere, then there is no > problem, > and no changes need be made. > > However IF ( and this would be good practice for a lot of reasons ) the > former ISP does indeed restrict DNS requests to source addresses within > its > own space, then there will have to be additional changes on the user > network. > > This whole discussion illustrates why people SHOULD follow best practice > from the get go. If they want to hard code IP's, then I believe DHCP can > be > configured so that it provides only DNS info and default gateway info, > for > example. the people who have insisted that their network hard code > everything are now learning the hard lesson. > > Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35807&t=35703 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
