Re: Adding DNS ALG support to Bind?
In message <20151106120047.ga69...@tiggr.ww.mens.de>, Jan-Piet Mens writes: > Mark, > > > may want to add a "_dns-update._udp.example.net SRV" record pointing > > to the nameservers as someone convinced the router vendor(s) that > > this is how you do it > > Is this a standard? Other than [1], which insinuates it's an Apple-only > thing, the Goog turns up only 55 hit for "_dns-update" and SRV. ;-) It's registered with IANA for this purpose. There is nothing stopping anyone from using the value. Dyn, from memory, use this record to send updates to the backend systems rather than the nameservers for the zones. It requires multiple parties to support this. Publish or to use the content. > Can you mention any other vendors which support the SRV RR for directing > updates? I think Netgear does this but I'm not sure and am not going to reflash my router to a factory image to find out. It's certainly easy enough to do this in a shell script with dig and nsupdate so any UNIX box is capable of doing this. Tune for your OS and internal vs external views. It also needs error handling added but it gives you the idea. The output is expected to be fed into nsupdate and you can use TSIG or SIG(0) to sign the request. The first thing it does is find the zone. The next think it does is look for the SRV record. Then it constructs the update message by looking at the configured addresses. #!/bin/sh hostname=`hostname` zone=$hostname soa=`dig +short soa -q $zone` while test -z "$soa" do zone=`expr $zone : '[^\.]*.\(.*\)'` soa=`dig +short soa -q $zone` done srv=`dig +short _dns-update._udp.$zone SRV` if test -n "$srv" then server=`expr "$srv" : '.* .* .* \(.*\)'` port=`expr "$srv" : '.* .* \(.*\) .*'` echo server $server $port fi echo update delete $hostname A echo update delete $hostname ifconfig $1 | sed -n -e 's/.*inet \([^ ]*\) .*/update add '$hostname' 120 IN A \1/p' \ -e /temporary/d \ -e 's/.*inet6 \([^ %]*\) .*/update add '$hostname' 120 IN \1/p' echo send [rock:~/git/bind9] marka% sh xxx.sh en0 server localhost.dv.isc.org. 53 update delete rock.dv.isc.org A update delete rock.dv.isc.org update add rock.dv.isc.org 120 IN A 172.30.42.121 update add rock.dv.isc.org 120 IN 2001:470:a001:5:2acf:e9ff:fe1b:508f update add rock.dv.isc.org 120 IN 2001:470:a001:5::aea send [rock:~/git/bind9] marka% This one does all the addresses with the exception of the temporary addreses and link local. For the public side you can filter out the ULA and RFC 1918 addresses. > > [1] http://fmepnet.org/osx_dyndns.html > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Thanks for the suggestion. My intention for now is to trial on a laptop as that give me the maximum flexibility for testing. /bill On Thursday 05 November 2015 17:44, Mark Andrews wrote: > In message <201511051124.03206.boobe...@rogers.com>, Bill writes: > > Yes, to do a full implementation usable in an enterprise you are correct, > > but > > > > what I am looking for is a small demo with only 10 machines or so. I > > believe > > > > your comment about IPv5 is correct too, but I am limited for this trial. > > > > /bill > > Then find a (home) router with NAT and the ability to send dynamic > updates and configure it as described below. They exist and can > be purchased for less than USD100 and usually less that USD50. You > may want to add a "_dns-update._udp.example.net SRV" record pointing > to the nameservers as someone convinced the router vendor(s) that > this is how you do it rather than that being a override to the > default of just sending to the nameservers for the record to be > updated. > > The nameserver being updated can be inside the network. > > If you don't want to buy a router you can use a Linux or BSD box > and configure the DHCP client to update the nameserver on renumbering. > > I did that for many years with FreeBSD with two ethernet card, > running named and ISC's dhcp client using the dhcp client hooks. > > Mark > > > On Wednesday 04 November 2015 15:30, Mark Andrews wrote: > > > If you want this sort of behaviour you are going to have to pay > > > someone someone lots of money to add this sort of functionality to > > > a nameserver and then pay them more money to maintain it. This > > > sort of thing does not exist in normal nameservers. > > > > > > Nameservers don't normally do other things on DNS lookups. > > > > > > Normally what one does is configure port forwarding in the NAT / > > > open a hole in the firewall. Some NATs can update the DNS when > > > their external address changes other wise you need a NAT that > > > modifies DNS payloads and that is problematical in lots of ways. > > > > > > NATs really are not something anyone sane wants in their network. > > > Anyone who says they do really doesn't understand IP security. They > > > are a necessary evil with IPv4 as we long ago ran out of addresses > > > to number every device uniquely. > > > > > > Mark > > > > > > In message <201511041050.51346.boobe...@rogers.com>, Bill writes: > > > > See my last posting on what I am trying to achieve, I think in the > > > > interest o f > > > > brevity I may have overly simplified my goal. > > > > > > > > What I want is for the DNS query to automatically configure the NAT > > > > to permit > > > > > > > > the outside connection. In other words it should, after the DNS > > > > query, look as if the named device had initiated the connection from > > > > inside that NAT. My > > > > > > > > last post explains the use case a bit better, I hope. > > > > > > > > /bill ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Mark, > may want to add a "_dns-update._udp.example.net SRV" record pointing > to the nameservers as someone convinced the router vendor(s) that > this is how you do it Is this a standard? Other than [1], which insinuates it's an Apple-only thing, the Goog turns up only 55 hits for "_dns-update" and SRV. ;-) Can you mention any other vendors which support the SRV RR for directing updates? -JP [1] http://fmepnet.org/osx_dyndns.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
On 11/05/2015 10:13 PM, Mark Andrews wrote: > The UPDATE standard say ANY of the nameservers but to prefer the > server which matches the MNAME. I have yet to find a DNS server that will support updates to a slave server out of the box. Bind slave servers can easily be configured forward Dynamic DNS updates on to the master name server. (Which may, or may not, be the MNAME server.) -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
In message <563c3477.6070...@tnetconsulting.net>, Grant Taylor writes: > On 11/05/2015 03:44 PM, Mark Andrews wrote: > > You may want to add a "_dns-update._udp.example.net SRV" record > > pointing to the nameservers as someone convinced the router vendor(s) > > that this is how you do it rather than that being a override to the > > default of just sending to the nameservers for the record to be > > updated. > > I've run into multiple networks where the master name server is > inaccessible. So, it's not possible for the Dynamic DNS client to send > updates there. The UPDATE standard say ANY of the nameservers but to prefer the server which matches the MNAME. > Further, some DNS servers will not forward Dynamic DNS updates. (Bind > can be configured to forward Dynamic DNS updates quite easily.) All of which is orthogonal to whether the router follows the standard or not. > -- > Grant. . . . > unix || die > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
On 11/05/2015 03:44 PM, Mark Andrews wrote: > You may want to add a "_dns-update._udp.example.net SRV" record > pointing to the nameservers as someone convinced the router vendor(s) > that this is how you do it rather than that being a override to the > default of just sending to the nameservers for the record to be > updated. I've run into multiple networks where the master name server is inaccessible. So, it's not possible for the Dynamic DNS client to send updates there. Further, some DNS servers will not forward Dynamic DNS updates. (Bind can be configured to forward Dynamic DNS updates quite easily.) -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
In message <201511051124.03206.boobe...@rogers.com>, Bill writes: > Yes, to do a full implementation usable in an enterprise you are correct, but > > what I am looking for is a small demo with only 10 machines or so. I believe > > your comment about IPv5 is correct too, but I am limited for this trial. > > /bill Then find a (home) router with NAT and the ability to send dynamic updates and configure it as described below. They exist and can be purchased for less than USD100 and usually less that USD50. You may want to add a "_dns-update._udp.example.net SRV" record pointing to the nameservers as someone convinced the router vendor(s) that this is how you do it rather than that being a override to the default of just sending to the nameservers for the record to be updated. The nameserver being updated can be inside the network. If you don't want to buy a router you can use a Linux or BSD box and configure the DHCP client to update the nameserver on renumbering. I did that for many years with FreeBSD with two ethernet card, running named and ISC's dhcp client using the dhcp client hooks. Mark > On Wednesday 04 November 2015 15:30, Mark Andrews wrote: > > If you want this sort of behaviour you are going to have to pay > > someone someone lots of money to add this sort of functionality to > > a nameserver and then pay them more money to maintain it. This > > sort of thing does not exist in normal nameservers. > > > > Nameservers don't normally do other things on DNS lookups. > > > > Normally what one does is configure port forwarding in the NAT / > > open a hole in the firewall. Some NATs can update the DNS when > > their external address changes other wise you need a NAT that > > modifies DNS payloads and that is problematical in lots of ways. > > > > NATs really are not something anyone sane wants in their network. > > Anyone who says they do really doesn't understand IP security. They > > are a necessary evil with IPv4 as we long ago ran out of addresses > > to number every device uniquely. > > > > Mark > > > > In message <201511041050.51346.boobe...@rogers.com>, Bill writes: > > > See my last posting on what I am trying to achieve, I think in the > > > interest o f > > > brevity I may have overly simplified my goal. > > > > > > What I want is for the DNS query to automatically configure the NAT to > > > permit > > > > > > the outside connection. In other words it should, after the DNS query, > > > look as if the named device had initiated the connection from inside that > > > NAT. My > > > > > > last post explains the use case a bit better, I hope. > > > > > > /bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Yes, to do a full implementation usable in an enterprise you are correct, but what I am looking for is a small demo with only 10 machines or so. I believe your comment about IPv5 is correct too, but I am limited for this trial. /bill On Wednesday 04 November 2015 15:30, Mark Andrews wrote: > If you want this sort of behaviour you are going to have to pay > someone someone lots of money to add this sort of functionality to > a nameserver and then pay them more money to maintain it. This > sort of thing does not exist in normal nameservers. > > Nameservers don't normally do other things on DNS lookups. > > Normally what one does is configure port forwarding in the NAT / > open a hole in the firewall. Some NATs can update the DNS when > their external address changes other wise you need a NAT that > modifies DNS payloads and that is problematical in lots of ways. > > NATs really are not something anyone sane wants in their network. > Anyone who says they do really doesn't understand IP security. They > are a necessary evil with IPv4 as we long ago ran out of addresses > to number every device uniquely. > > Mark > > In message <201511041050.51346.boobe...@rogers.com>, Bill writes: > > See my last posting on what I am trying to achieve, I think in the > > interest o f > > brevity I may have overly simplified my goal. > > > > What I want is for the DNS query to automatically configure the NAT to > > permit > > > > the outside connection. In other words it should, after the DNS query, > > look as if the named device had initiated the connection from inside that > > NAT. My > > > > last post explains the use case a bit better, I hope. > > > > /bill ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
On 11/04/2015 08:45 AM, Bill wrote: > You are correct, but in the use case I am looking at there is no Internet > connection. I think "other network(s)" can substitute "Internet" in this context. > What I am trying to do is to be able to connect to s specific device, say a > 'supervisor' by name. I don't know the IP, and their IP may change, or the > supervisor might be a service that isn't always provided by the same device. > The IP will change and the DNS will be updated updated as needed It sounds like you want to connect to the ""device that is currently hosting a role with the role holding device being dynamic on top of dynamic IPs. Correct? I'm going to assume that you have TTL taken into account. > I don't want the device/user accessing the 'supervisor' to know the IP > address, other than the gateway IP, I don't want them to be able to save an > old IP. Also, I don't what anyone watching the network (it is wireless) to > be able to see anything other than gateway addresses. Outside the NAT, everything will probably look like it's coming from the NAT's single external IP. Inside the NAT, you will see traffic to / from the ""supervising device and from / to an IP outside of the WLAN. - So, clever people can deduce what the surpevising device is from that. Or were you doing to do something (SNAT?) to hide the external IP? > Basically, the device/user accessing the 'supervisor' should result in > traffic > thru the gateway/NAT that looks as if the superviser initiated it, ie the > supervisor has been natted, and the reply IP is the gateway. I think I can guess what you mean, but I suspect that different network people will interpret that statement differently. Especially when considering external access into a NATed device. > Not sure if I am going about this the right way, but that is my idea. I > appreciate the comments I am receiving here, thanks. I'm going to assume that we are discussing HTTP traffic for the time being. I would run an HTTP reverse proxy that accepts the connection on the outside of the NAT that would then proxy the traffic to the internal ""supervisor host name. DNS would resolve the internal ""supervisor host name to what ever device currently has the role and it's associated IP. The reverse proxy would then initiate traffic from it's internal IP to the proper supervising device. Thus the traffic would appear to be sent and received from addresses local to the network. I also have questions about the traffic from the other non-supervisory role devices. ... However, we are getting FAR removed from DNS. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
If you want this sort of behaviour you are going to have to pay someone someone lots of money to add this sort of functionality to a nameserver and then pay them more money to maintain it. This sort of thing does not exist in normal nameservers. Nameservers don't normally do other things on DNS lookups. Normally what one does is configure port forwarding in the NAT / open a hole in the firewall. Some NATs can update the DNS when their external address changes other wise you need a NAT that modifies DNS payloads and that is problematical in lots of ways. NATs really are not something anyone sane wants in their network. Anyone who says they do really doesn't understand IP security. They are a necessary evil with IPv4 as we long ago ran out of addresses to number every device uniquely. Mark In message <201511041050.51346.boobe...@rogers.com>, Bill writes: > See my last posting on what I am trying to achieve, I think in the interest o > f > brevity I may have overly simplified my goal. > > What I want is for the DNS query to automatically configure the NAT to permit > > the outside connection. In other words it should, after the DNS query, look > as if the named device had initiated the connection from inside that NAT. My > > last post explains the use case a bit better, I hope. > > /bill > > > On Monday 02 November 2015 21:48, Dave Warren wrote: > > On 2015-11-02 15:03, Carl Byington wrote: > > > And? NAT != firewall. Your firewall would still need to be configured to > > permit such a connection, and presumably your NAT environment would need > > to be configured to allow it as well. > > > > If that's not desired, one would probably not enable this functionality. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
See my last posting on what I am trying to achieve, I think in the interest of brevity I may have overly simplified my goal. What I want is for the DNS query to automatically configure the NAT to permit the outside connection. In other words it should, after the DNS query, look as if the named device had initiated the connection from inside that NAT. My last post explains the use case a bit better, I hope. /bill On Monday 02 November 2015 21:48, Dave Warren wrote: > On 2015-11-02 15:03, Carl Byington wrote: > And? NAT != firewall. Your firewall would still need to be configured to > permit such a connection, and presumably your NAT environment would need > to be configured to allow it as well. > > If that's not desired, one would probably not enable this functionality. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
You are correct, but in the use case I am looking at there is no Internet connection. There are a small number of mobile devices (5-15) behind a NAT gateway with DNS. The gateway provides service to other small networks, but there is nothing else connected, it is an isolated system. What I am trying to do is to be able to connect to s specific device, say a 'supervisor' by name. I don't know the IP, and their IP may change, or the supervisor might be a service that isn't always provided by the same device. The IP will change and the DNS will be updated updated as needed I don't want the device/user accessing the 'supervisor' to know the IP address, other than the gateway IP, I don't want them to be able to save an old IP. Also, I don't what anyone watching the network (it is wireless) to be able to see anything other than gateway addresses. Basically, the device/user accessing the 'supervisor' should result in traffic thru the gateway/NAT that looks as if the superviser initiated it, ie the supervisor has been natted, and the reply IP is the gateway. Not sure if I am going about this the right way, but that is my idea. I appreciate the comments I am receiving here, thanks. /bill On Monday 02 November 2015 18:03, Carl Byington wrote: > On Fri, 2015-10-30 at 12:38 -0400, Bill wrote: > > What I would like to do to have the ability to query a DNS server > > located behind a NAT, and have it return the IP of the NAT, and setup > > connection tracking in the NAT to pass traffic thru to the host behind > > the NAT. > > I think that is a bad idea, even if you can get it implemented and > working. > > If I know the names of your hosts (they will eventually be found via > google or other searches), then I can remotely reconfigure your NAT > device to allow my attack traffic thru - and all it takes is a simple > UDP query to your dns server. > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
On 2015-11-02 15:03, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2015-10-30 at 12:38 -0400, Bill wrote: >What I would like to do to have the ability to query a DNS server >located behind a NAT, and have it return the IP of the NAT, and setup >connection tracking in the NAT to pass traffic thru to the host behind >the NAT. I think that is a bad idea, even if you can get it implemented and working. If I know the names of your hosts (they will eventually be found via google or other searches), then I can remotely reconfigure your NAT device to allow my attack traffic thru - and all it takes is a simple UDP query to your dns server. And? NAT != firewall. Your firewall would still need to be configured to permit such a connection, and presumably your NAT environment would need to be configured to allow it as well. If that's not desired, one would probably not enable this functionality. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2015-10-30 at 12:38 -0400, Bill wrote: > What I would like to do to have the ability to query a DNS server > located behind a NAT, and have it return the IP of the NAT, and setup > connection tracking in the NAT to pass traffic thru to the host behind > the NAT. I think that is a bad idea, even if you can get it implemented and working. If I know the names of your hosts (they will eventually be found via google or other searches), then I can remotely reconfigure your NAT device to allow my attack traffic thru - and all it takes is a simple UDP query to your dns server. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlY3668ACgkQL6j7milTFsGtdACffAMRw4DryIrJ9krqDfIFPqxa A0UAnirkaQLYyZFeZe+G5C431yjEjzxc =4A4M -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
I was thinking of doing the DNS and the NAT on the same device, then (I assume) the DNS could use connection tracking hooks to add 'expectations' to the NAT. Anyhow, that was what I was hoping, but I've not been able to find out much about anyone having done such a thing, so I might be dreaming. /bill On Sunday 01 November 2015 07:13, Reindl Harald wrote: > the DNS-ALG can't be handeled on the nameserver itself, it does not know > anything about the NAT, the device doing the NAT knows > > hence the implementation is typically on the edge router > > Am 30.10.2015 um 17:38 schrieb Bill: > > Thanks for your remarks. What I am actually looking at is research in > > mobile networks where I'd like devices that may or may not be connected > > to be accessible by name. The devices might have different IP addresses > > when they connect and I don't want any connection to them to be able to > > keep an old IP, or even know what their IP address is. By that I mean > > they should appear as if they initiated the connection from behind the > > NAT. > > > > I picked up on the DNS-ALG spec as possibly addressing part of this and > > hoped if there was an implementation I'd start with it. If there isn't > > anything to help, then I will have to look into implementing my own > > reversible NAT, using IPtables, NAT, connection tracking and whatever > > else I find useful. > > > > On Saturday 24 October 2015 17:06, Reindl Harald wrote: > >> you *really* do not want that > >> > >> have been punished more than one time by cisco routers having that crap > >> enabled and breaking DNS in various ways including mangle zone transfers > >> and set the TTL of every CNAME to 0 instead leave it untouched or just > >> break zone transfers silently at all > >> > >> setup internal and external DNS servers and keep in mind whith DNSSEC > >> that would not really work likely anyways > >> > >> Am 24.10.2015 um 22:49 schrieb Bill: > >>> I was wondering if anyone has looked at or is is the process of adding > >>> DNS ALG support, or something similar, to bind? > >>> > >>> https://tools.ietf.org/html/rfc2694 > >>> > >>> What I would like to do to have the ability to query a DNS server > >>> located behind a NAT, and have it return the IP of the NAT, and setup > >>> connection tracking in the NAT to pass traffic thru to the host behind > >>> the NAT. The effect of this is to have a reversible NAT, ie one that > >>> provides access to hosts behind the NAT, not by their IP, but by their > >>> hostname. > >>> > >>> (There are other things in DNS ALG, but I am really interesting only in > >>> the reversible NAT aspect.) > >>> > >>> Implementing this seems to need the DNS server (bind in this case), to > >>> configure the NAT using the 'expect' feature of connection tracking. > >>> This would permit the following packets to traverse the NAT to the > >>> host, provided of course they meet the expectation (source, protocol, > >>> etc). > >>> > >>> I'd like to know of anyone has looked at this, is implementing it, or > >>> knows of any implementations. I have looked into it but have only seen > >>> enterprise implementations (Cisco & Juniper), but nothing open-source ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
the DNS-ALG can't be handeled on the nameserver itself, it does not know anything about the NAT, the device doing the NAT knows hence the implementation is typically on the edge router Am 30.10.2015 um 17:38 schrieb Bill: Thanks for your remarks. What I am actually looking at is research in mobile networks where I'd like devices that may or may not be connected to be accessible by name. The devices might have different IP addresses when they connect and I don't want any connection to them to be able to keep an old IP, or even know what their IP address is. By that I mean they should appear as if they initiated the connection from behind the NAT. I picked up on the DNS-ALG spec as possibly addressing part of this and hoped if there was an implementation I'd start with it. If there isn't anything to help, then I will have to look into implementing my own reversible NAT, using IPtables, NAT, connection tracking and whatever else I find useful. On Saturday 24 October 2015 17:06, Reindl Harald wrote: you *really* do not want that have been punished more than one time by cisco routers having that crap enabled and breaking DNS in various ways including mangle zone transfers and set the TTL of every CNAME to 0 instead leave it untouched or just break zone transfers silently at all setup internal and external DNS servers and keep in mind whith DNSSEC that would not really work likely anyways Am 24.10.2015 um 22:49 schrieb Bill: I was wondering if anyone has looked at or is is the process of adding DNS ALG support, or something similar, to bind? https://tools.ietf.org/html/rfc2694 What I would like to do to have the ability to query a DNS server located behind a NAT, and have it return the IP of the NAT, and setup connection tracking in the NAT to pass traffic thru to the host behind the NAT. The effect of this is to have a reversible NAT, ie one that provides access to hosts behind the NAT, not by their IP, but by their hostname. (There are other things in DNS ALG, but I am really interesting only in the reversible NAT aspect.) Implementing this seems to need the DNS server (bind in this case), to configure the NAT using the 'expect' feature of connection tracking. This would permit the following packets to traverse the NAT to the host, provided of course they meet the expectation (source, protocol, etc). I'd like to know of anyone has looked at this, is implementing it, or knows of any implementations. I have looked into it but have only seen enterprise implementations (Cisco & Juniper), but nothing open-source signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Yes, I am also looking a tools to update DNS when IP address changes. /bill On Saturday 24 October 2015 17:35, Mark Andrews wrote: > Get yourself IPv6 and forget about the NAT. Complain to your ISP > if they don't supply IPv6. They should be able to as they have had > two decades to prepare for the fact the IPv4 addresses have run > out. That way you don't have to worry about different internal and > external addresses. > > Even routers that dynamically update the DNS when they get a new > address are starting to no longer work as ISP's introduce Carrier > Grade NATs (CGN) as they have run out of addresses to even give > customers a unshared IPv4 addresses. > > If you really want to track external addresses use a tool outside > of named and have it dynamically update the address in the DNS when > it changes. > > Mark > > In message <201510241649.33628.boobe...@rogers.com>, Bill writes: > > I was wondering if anyone has looked at or is is the process of adding > > DNS ALG support, or something similar, to bind? > > > > https://tools.ietf.org/html/rfc2694 > > > > What I would like to do to have the ability to query a DNS server located > > behind a NAT, and have it return the IP of the NAT, and setup connection > > tracking in the NAT to pass traffic thru to the host behind the NAT. The > > effect of this is to have a reversible NAT, ie one that provides access > > to hosts behind the NAT, not by their IP, but by their hostname. > > > > (There are other things in DNS ALG, but I am really interesting only in > > the reversible NAT aspect.) > > > > Implementing this seems to need the DNS server (bind in this case), to > > configure the NAT using the 'expect' feature of connection tracking. > > This would permit the following packets to traverse the NAT to the host, > > provided of course they meet the expectation (source, protocol, etc). > > > > I'd like to know of anyone has looked at this, is implementing it, or > > knows of any implementations. I have looked into it but have only seen > > enterprise implementations (Cisco & Juniper), but nothing open-source. > > > > /bill > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Thanks for your remarks. What I am actually looking at is research in mobile networks where I'd like devices that may or may not be connected to be accessible by name. The devices might have different IP addresses when they connect and I don't want any connection to them to be able to keep an old IP, or even know what their IP address is. By that I mean they should appear as if they initiated the connection from behind the NAT. I picked up on the DNS-ALG spec as possibly addressing part of this and hoped if there was an implementation I'd start with it. If there isn't anything to help, then I will have to look into implementing my own reversible NAT, using IPtables, NAT, connection tracking and whatever else I find useful. /bill On Saturday 24 October 2015 17:06, Reindl Harald wrote: > you *really* do not want that > > have been punished more than one time by cisco routers having that crap > enabled and breaking DNS in various ways including mangle zone transfers > and set the TTL of every CNAME to 0 instead leave it untouched or just > break zone transfers silently at all > > setup internal and external DNS servers and keep in mind whith DNSSEC > that would not really work likely anyways > > Am 24.10.2015 um 22:49 schrieb Bill: > > I was wondering if anyone has looked at or is is the process of adding > > DNS ALG support, or something similar, to bind? > > > > https://tools.ietf.org/html/rfc2694 > > > > What I would like to do to have the ability to query a DNS server located > > behind a NAT, and have it return the IP of the NAT, and setup connection > > tracking in the NAT to pass traffic thru to the host behind the NAT. The > > effect of this is to have a reversible NAT, ie one that provides access > > to hosts behind the NAT, not by their IP, but by their hostname. > > > > (There are other things in DNS ALG, but I am really interesting only in > > the reversible NAT aspect.) > > > > Implementing this seems to need the DNS server (bind in this case), to > > configure the NAT using the 'expect' feature of connection tracking. > > This would permit the following packets to traverse the NAT to the host, > > provided of course they meet the expectation (source, protocol, etc). > > > > I'd like to know of anyone has looked at this, is implementing it, or > > knows of any implementations. I have looked into it but have only seen > > enterprise implementations (Cisco & Juniper), but nothing open-source ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
Get yourself IPv6 and forget about the NAT. Complain to your ISP if they don't supply IPv6. They should be able to as they have had two decades to prepare for the fact the IPv4 addresses have run out. That way you don't have to worry about different internal and external addresses. Even routers that dynamically update the DNS when they get a new address are starting to no longer work as ISP's introduce Carrier Grade NATs (CGN) as they have run out of addresses to even give customers a unshared IPv4 addresses. If you really want to track external addresses use a tool outside of named and have it dynamically update the address in the DNS when it changes. Mark In message <201510241649.33628.boobe...@rogers.com>, Bill writes: > I was wondering if anyone has looked at or is is the process of adding DNS > ALG > support, or something similar, to bind? > > https://tools.ietf.org/html/rfc2694 > > What I would like to do to have the ability to query a DNS server located > behind a NAT, and have it return the IP of the NAT, and setup connection > tracking in the NAT to pass traffic thru to the host behind the NAT. The > effect of this is to have a reversible NAT, ie one that provides access to > hosts behind the NAT, not by their IP, but by their hostname. > > (There are other things in DNS ALG, but I am really interesting only in the > reversible NAT aspect.) > > Implementing this seems to need the DNS server (bind in this case), to > configure the NAT using the 'expect' feature of connection tracking. This > would permit the following packets to traverse the NAT to the host, provided > of course they meet the expectation (source, protocol, etc). > > I'd like to know of anyone has looked at this, is implementing it, or knows > of > any implementations. I have looked into it but have only seen enterprise > implementations (Cisco & Juniper), but nothing open-source. > > /bill > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding DNS ALG support to Bind?
you *really* do not want that have been punished more than one time by cisco routers having that crap enabled and breaking DNS in various ways including mangle zone transfers and set the TTL of every CNAME to 0 instead leave it untouched or just break zone transfers silently at all setup internal and external DNS servers and keep in mind whith DNSSEC that would not really work likely anyways Am 24.10.2015 um 22:49 schrieb Bill: I was wondering if anyone has looked at or is is the process of adding DNS ALG support, or something similar, to bind? https://tools.ietf.org/html/rfc2694 What I would like to do to have the ability to query a DNS server located behind a NAT, and have it return the IP of the NAT, and setup connection tracking in the NAT to pass traffic thru to the host behind the NAT. The effect of this is to have a reversible NAT, ie one that provides access to hosts behind the NAT, not by their IP, but by their hostname. (There are other things in DNS ALG, but I am really interesting only in the reversible NAT aspect.) Implementing this seems to need the DNS server (bind in this case), to configure the NAT using the 'expect' feature of connection tracking. This would permit the following packets to traverse the NAT to the host, provided of course they meet the expectation (source, protocol, etc). I'd like to know of anyone has looked at this, is implementing it, or knows of any implementations. I have looked into it but have only seen enterprise implementations (Cisco & Juniper), but nothing open-source signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding DNS ALG support to Bind?
I was wondering if anyone has looked at or is is the process of adding DNS ALG support, or something similar, to bind? https://tools.ietf.org/html/rfc2694 What I would like to do to have the ability to query a DNS server located behind a NAT, and have it return the IP of the NAT, and setup connection tracking in the NAT to pass traffic thru to the host behind the NAT. The effect of this is to have a reversible NAT, ie one that provides access to hosts behind the NAT, not by their IP, but by their hostname. (There are other things in DNS ALG, but I am really interesting only in the reversible NAT aspect.) Implementing this seems to need the DNS server (bind in this case), to configure the NAT using the 'expect' feature of connection tracking. This would permit the following packets to traverse the NAT to the host, provided of course they meet the expectation (source, protocol, etc). I'd like to know of anyone has looked at this, is implementing it, or knows of any implementations. I have looked into it but have only seen enterprise implementations (Cisco & Juniper), but nothing open-source. /bill ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users