[svlug] DNS behind a NAT firewall

Alvin Oga alvin at planet.fef.com
Tue Jul 3 05:40:01 PDT 2001

hi ya steve

if you have dynamic ip# assigned to you when you.. you're up
the creek  ( you're making thngs 100x harder to do )...

if you want your a.com and b.com and c.com to be visible
24x7.. you need static ip# ..
	but than again, theres some new sw that supposed to
	be able to find the dynamic ip# of sites that come online
	when the servers is powered up on the dynamic dsl lines

- guess that's what makes colo's useful... static ip# on 24x7
  for dhcp dsl connections

- am assuming your "multi-lan" behind the firewalls means
  that you have a DMZ and you have your local private lan
  and the connection to the net .. ( the machine(fw) has 3 nics ?? )
	- if its not... it should be configured that way...

- to run your domain "system.dsl.com" requires you to register
  your domain name ... ( primary and secondary dns that is
  on a dns server that is available 24x7...
	- whether you should run local dns for your private lan
	is another separate issue ( imho, you should )

- if you dont have a domain name registered yet.. all this is
  pointless ....

- if you want to create www.a.com and www.b.com and www.c.com
  on your dhcp based dynamic ip# dsl....
	- give it up !! ( with all seriousness )

	- or dig and play with the new dynamic ip# for 24x7 servers
	and have lots of coke/coffee and lots of books and time

	easiest/trivial solutions are..
	- get static ip# based dsl
	- or get a colo to host your servers

	each domain is about an hours worth of setup work to get working...

- you only need one box for ALL your domains, a.com, b.com, c.com
  depending on load and what you are trying to do...

- you could ( much easier ) to forward all incoming connections
  for a.com to go to machine_a..... and all incomig connections to b.com
  to go to machine_b... 
	- even better....
	forward all web for all domains to the webserver
	and forward all smtp for all domains to the mail server
	and forward all foo traffic for all domains to the foo server

- configuring your NAT and firewall is not an project for inexperienced
  unless one enjoys to learn and lots of hair pulling and cussing and
	- if for a client/customer... get them to get static ip# dsl lines
	if they dont want a t1/t3...

- this can be a fun project to do.. but...

- yup... i donno what it is you are trying to do... so am just rambling
  and adding to robert and JCs comments ... its 5;30am... am goofing off...

have fun linuxing
http://www.Linux-Sec.net ...

> Robert Hajime Lanning wrote:
> You don't point DNS to the hidden address behind the firewall.
> You have one (1) address that others can see.  No-one outside of the
> firewall can see the internal addresses.
> So what you have to do to provide http, smtp and/or ftp services to
> the internet via proxing or port forwarding.
> Basicly you have the firewall take an incoming connection and forward
> it to an internal machine.  You can only have one service per port
> and each port can only be pointed to one machine (unless you just want
> to load share across simularly configured machines.)
> So if you wanted to do http to machine A behind the firewall you can
> setup port 80 (the http port) to forward to port 80 of machine A.  If
> you want to also access machine B via http, then you would have to
> setup another port (eg. 81) to forward to port 80 of machine B.
> Then to get to machine B you would use "http://external.domain:81/".
> Since you have only one address, the only way to do multiple domains
> is to do what is called "virtual hosting".
> For HTTP (web), virtual hosting is fairly simple.  The apache webserver
> has this capability standard.
> For SMTP (email), you have to configure your message transport agent (MTA)
> to accept email for multiple domains. (This is usualy a sendmail
> configuration change.)
> For FTP, you just have multiple subdirectories.
> ---- As written by Steve Hill:
> > 
> > I am running a multi-unit LAN behind a firewall, connected to a "single"
> > static IP address issued by my DSL provider.  I am having a "thinko"
> > trying to figure out how I can name a unit behind the firewall, such
> > that it can be seen by the internet.  i.e., how do I get a name line
> > system.dsl.com or how do I link my domainname to my IP address?  I don't
> > need a cookie-cutter solution, but I need a couple of pointers that I
> > can follow to solve my problem.
> > 
> > Ultimately, I'd like to maintain my own mail and web servers behind the
> > firewall.
> > 
> > Thanks,
> >   Steve
> > 

More information about the svlug mailing list