Running internal stuff over nat and the firewall is bad practice and should be avoided as it uselessly loads the firewall, increases the complexity of the rules and creates bottlenecks on a fast network backbone.
You might be correct for home systems where running over your firewall and NAT for every internal request increases the hopcount by one at max. But if you have like a building with 1200 people using 1 Gbit+ network and you have to route them to your 100 Mbit firewall for all internal requests, it would just generate useless traffic on many, many devices, slowing down the backbone... I know ist pretty dumb to say that on a dns mailinglist, but in comparison to significantly slowing down the network i could not care less about dnssec. Also broken dnssec may never lead to clients not resolving the name without asking the user first. "Oh well, the cache is poisioned, lets just not resolve the name and dont give the user the possibility to use this (might valid) resolved addr" ... nice denial of service scenario ;) And users getting a warning when accessing the internal pages... They would learn to accept that. iptables -t nat -A PREROUTING -d 245.243.3.5 -j DNAT --to 192.168.0.5 -i eth1 Where eth1 = wan. You do *not* want "anyone <-> anywhere" scenarios - that is the first step to having an insecure network ;) So again the question is: is there a way to do dns doctoring with bind only? Greets ~Jan -----Ursprüngliche Nachricht----- Von: bind-users-bounces+someone=jvales....@lists.isc.org [mailto:bind-users-bounces+someone=jvales....@lists.isc.org] Im Auftrag von Phil Mayers Gesendet: Montag, 17. Januar 2011 12:17 An: bind-users@lists.isc.org Betreff: Re: Dns doctoring/dnsmasq -V on bind? On 17/01/11 00:23, someone wrote: > > If you have any ideas how to do dns doctoring with bind9 (or > netfilter) please give me some hints ;) Have you considered that this will break DNSSEC, and as time goes by, may not work at all (if clients become full validating DNSSEC resolvers)? I'm a little curious why you don't leave the DNS responses unchanges, and instead NAT the actual IP traffic, which would surely have the same effect i.e. iptables -t nat -A PREROUTING -d 245.243.3.5 -j DNAT --to 192.168.0.5 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
