[Soekris] DNS Non-delegated local domain behind NATed firewall
Bill Maas
bill at stsx.org
Fri Oct 20 16:34:16 UTC 2006
Hello,
This is actually a DNS, not a Soekris question, but it applies to the
setup on my Soekris Net4801, and I guess I'm not the only Soekris owner
who has asked h{im,er}self this question:
Is there a clear policy for naming private networks behind a NATing
firewall?
To be more precise: suppose my external host name is me.isp.com, and my
soekris box is behind a NATing router with ports forwarded to the
Soekris. It seems I can do 2 things:
(1) put the Soekris box onto local.domain, and either forge the DNS zone
info for local.domain., or don't use DNS at all and rely on /etc/hosts
for internal and /etc/resolv.conf for external addresses.
(2) the other option, assuming I don't want to contact my ISP for domain
delegation, is to "claim" mysubdomain.isp.com, declare it it a
non-delegated isp.com subdomain, and make my DNS server locally
authoritative for that domain. In principle, this domain won't be
visible from the outside world, that's as long as I would not make any
config errors. If I do, then my ISP's DNS admin might get annoyed.. It
appears to be the more risky option.
Is there any clear policy or guideline on this topic? I've looked for an
RFC about this subject, but there doesn't seem to be one. What is the
safest option for domain naming behind a NAT box?
Bill Maas
More information about the Soekris-tech
mailing list