Re: DNS and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




From: /dev/rob0 <rob0@xxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Mon, 11 Jul 2005 16:25:20 -0500

Please don't top-post. Thank you.

Suzana Lojic-Skoric wrote:

OK, thanks I was not sure what is the proper behavior regarding
iptables and DNS.
The usual situation is that clients are NAT'ed out, like what you're describing.
If answer is not translated then how do I get DNS to work with two way NAT?
What does not work? Two-way NAT is fine. You go on to say you're not really talking about two-way NAT:
My internal network does not understand any of the ip addresses that belong to outside. So if the request for a page that is sent from internal network comes back from outside with an answer (ip address) that is not getting translated then I can't resolve the page since my internal network doesn't understand it and can't route to it.
Clients need to have a default route through the NAT gateway, which does SNAT or MASQUERADE. How is it two-way if the clients can't route out?
I have an internal network that has one set of addresses and outside network that has a different set of addresses. I am using NAT for the sole purpose of translation. Both inside and outside network have DNS servers, mail servers,.... Both networks need to talk to each other, send mail and request web pages... I have a control of inside network but not the outside ntw.
When the client from outside sends a DNS query to the inside ntw I guess I can implement split DNS as Jason Opperisano suggested and get it working that way. The outside world will get a web page from external view and will have answer from global outside address, the inside world will get answer from internal view with inside global ip.
The problem is I don't understand how it is supposed to work when the client is inside and sending a request for a page whose server happens to be outside... I have a default route through the NAT, so when a client on the inside network 
sends a DNS query it goes out through the NAT, in my case both source
and destination gets translated and forwarded to outside DNS server.( I have to translate the destination as well because the clients on internal network send a request to an internal DNS server with the internal IP address as destination. So the request gets forwarded to the outside world through the NAT and both SNAT-ed and DNAT-ed.) When the answer comes back to NAT, the outside source and destination IP gets translated back to the internal addresses, but the actual IP that resolves the requested page is embedded in the message, and it does not get translated ( it is outside IP) When the client gets the answer, it processes it, gets the outside IP from the message and try talk to it. But this is outside IP and inside clients can't route to it.
I am trying to understand how is this supposed to work. I can't quite use the wisdom from masquerade because masquerade is simpler, masquerade messages are only SNAT-ed, meaning only source address is translated and when the request comes back it is then DNAT-ed to internal network, meaning destination is translated so the message can find your machine. But you don't care that google.com resolved as 216.239.39.99 because your NAT is one way NAT in you can talk to 216.239.39.99. In my case, I have to translate the 216.239.39.99 to something else (for example 10.1.1.1) so that the inside network can talk to it. And then on the exit through the nat 10.1.1.1 will be translated back to 216.239.39.99. The problem is I have no way of translating the 216.239.39.99 to 10.1.1.1 because iptables NAT does not inspect the payload of the DNS answer and does not translate it. ... and this is how iptables is supposed to work.
I have both DNAT and SNAT happening both ways, when the message goes out and comes back in. All messages on inside network mast have both source and destination from the inside IP address range. Also I can't advertise my inside addresses to the outside world.
Is there a way around this problem? How do I get DNS to work in the type of environment I described?
If you don't want to allow NAT clients out for some reason, you might check into running proxy servers, such as squid for HTTP/FTP. Only the services you are proxying can be used by internal clients. SOCKS proxy servers can handle multiple protocols, but I don't know anything more about it than just that fact.
Proxy servers are a good choice in some circumstances; you maintain maximum control over what clients can and cannot do (unless users have shell access to the proxy server, perhaps.) But proxying is far more resource-intensive than NAT. 
--
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux