Adding DNS ALG support to Bind?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Adding DNS ALG support to Bind?

Bill
I was wondering if anyone has looked at or is is the process of adding DNS ALG
support, or something similar, to bind?

https://tools.ietf.org/html/rfc2694

What I would like to do to have the ability to query a DNS server located
behind a NAT, and have it return the IP of the NAT, and setup connection
tracking in the NAT to pass traffic thru to the host behind the NAT.  The
effect of this is to have a reversible NAT, ie one that provides access to
hosts behind the NAT, not by their IP, but by their hostname.

(There are other things in DNS ALG, but I am really interesting only in the
reversible NAT aspect.)

Implementing this seems to need the DNS server (bind in this case), to
configure the NAT using the 'expect' feature of connection tracking.  This
would permit the following packets to traverse the NAT to the host, provided
of course they meet the expectation (source, protocol, etc).

I'd like to know of anyone has looked at this, is implementing it, or knows of
any implementations.  I have looked into it but have only seen enterprise
implementations (Cisco & Juniper), but nothing open-source.

/bill
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Reindl Harald

you *really* do not want that

have been punished more than one time by cisco routers having that crap
enabled and breaking DNS in various ways including mangle zone transfers
and set the TTL of every CNAME to 0 instead leave it untouched or just
break zone transfers silently at all

setup internal and external DNS servers and keep in mind whith DNSSEC
that would not really work likely anyways

Am 24.10.2015 um 22:49 schrieb Bill:

> I was wondering if anyone has looked at or is is the process of adding DNS ALG
> support, or something similar, to bind?
>
> https://tools.ietf.org/html/rfc2694
>
> What I would like to do to have the ability to query a DNS server located
> behind a NAT, and have it return the IP of the NAT, and setup connection
> tracking in the NAT to pass traffic thru to the host behind the NAT.  The
> effect of this is to have a reversible NAT, ie one that provides access to
> hosts behind the NAT, not by their IP, but by their hostname.
>
> (There are other things in DNS ALG, but I am really interesting only in the
> reversible NAT aspect.)
>
> Implementing this seems to need the DNS server (bind in this case), to
> configure the NAT using the 'expect' feature of connection tracking.  This
> would permit the following packets to traverse the NAT to the host, provided
> of course they meet the expectation (source, protocol, etc).
>
> I'd like to know of anyone has looked at this, is implementing it, or knows of
> any implementations.  I have looked into it but have only seen enterprise
> implementations (Cisco & Juniper), but nothing open-source

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Mark Andrews
In reply to this post by Bill

Get yourself IPv6 and forget about the NAT.  Complain to your ISP
if they don't supply IPv6.  They should be able to as they have had
two decades to prepare for the fact the IPv4 addresses have run
out.  That way you don't have to worry about different internal and
external addresses.

Even routers that dynamically update the DNS when they get a new
address are starting to no longer work as ISP's introduce Carrier
Grade NATs (CGN) as they have run out of addresses to even give
customers a unshared IPv4 addresses.

If you really want to track external addresses use a tool outside
of named and have it dynamically update the address in the DNS when
it changes.

Mark

In message <[hidden email]>, Bill writes:

> I was wondering if anyone has looked at or is is the process of adding DNS ALG
> support, or something similar, to bind?
>
> https://tools.ietf.org/html/rfc2694
>
> What I would like to do to have the ability to query a DNS server located
> behind a NAT, and have it return the IP of the NAT, and setup connection
> tracking in the NAT to pass traffic thru to the host behind the NAT.  The
> effect of this is to have a reversible NAT, ie one that provides access to
> hosts behind the NAT, not by their IP, but by their hostname.
>
> (There are other things in DNS ALG, but I am really interesting only in the
> reversible NAT aspect.)
>
> Implementing this seems to need the DNS server (bind in this case), to
> configure the NAT using the 'expect' feature of connection tracking.  This
> would permit the following packets to traverse the NAT to the host, provided
> of course they meet the expectation (source, protocol, etc).
>
> I'd like to know of anyone has looked at this, is implementing it, or knows of
> any implementations.  I have looked into it but have only seen enterprise
> implementations (Cisco & Juniper), but nothing open-source.
>
> /bill
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Reindl Harald
Thanks for your remarks.  What I am actually looking at is research in mobile
networks where I'd like devices that may or may not be connected to be
accessible by name.  The devices might have different IP addresses when they
connect and I don't want any connection to them to be able to keep an old IP,
or even know what their IP address is.  By that I mean they should appear as
if they initiated the connection from behind the NAT.

I picked up on the DNS-ALG spec as possibly addressing part of this and hoped
if there was an implementation I'd start with it.  If there isn't anything to
help, then I will have to look into implementing my own reversible NAT, using
IPtables, NAT, connection tracking and whatever else I find useful.

/bill


On Saturday 24 October 2015 17:06, Reindl Harald wrote:

> you *really* do not want that
>
> have been punished more than one time by cisco routers having that crap
> enabled and breaking DNS in various ways including mangle zone transfers
> and set the TTL of every CNAME to 0 instead leave it untouched or just
> break zone transfers silently at all
>
> setup internal and external DNS servers and keep in mind whith DNSSEC
> that would not really work likely anyways
>
> Am 24.10.2015 um 22:49 schrieb Bill:
> > I was wondering if anyone has looked at or is is the process of adding
> > DNS ALG support, or something similar, to bind?
> >
> > https://tools.ietf.org/html/rfc2694
> >
> > What I would like to do to have the ability to query a DNS server located
> > behind a NAT, and have it return the IP of the NAT, and setup connection
> > tracking in the NAT to pass traffic thru to the host behind the NAT.  The
> > effect of this is to have a reversible NAT, ie one that provides access
> > to hosts behind the NAT, not by their IP, but by their hostname.
> >
> > (There are other things in DNS ALG, but I am really interesting only in
> > the reversible NAT aspect.)
> >
> > Implementing this seems to need the DNS server (bind in this case), to
> > configure the NAT using the 'expect' feature of connection tracking.
> > This would permit the following packets to traverse the NAT to the host,
> > provided of course they meet the expectation (source, protocol, etc).
> >
> > I'd like to know of anyone has looked at this, is implementing it, or
> > knows of any implementations.  I have looked into it but have only seen
> > enterprise implementations (Cisco & Juniper), but nothing open-source
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Mark Andrews
Yes, I am also looking a tools to update DNS when IP address changes.

/bill


On Saturday 24 October 2015 17:35, Mark Andrews wrote:

> Get yourself IPv6 and forget about the NAT.  Complain to your ISP
> if they don't supply IPv6.  They should be able to as they have had
> two decades to prepare for the fact the IPv4 addresses have run
> out.  That way you don't have to worry about different internal and
> external addresses.
>
> Even routers that dynamically update the DNS when they get a new
> address are starting to no longer work as ISP's introduce Carrier
> Grade NATs (CGN) as they have run out of addresses to even give
> customers a unshared IPv4 addresses.
>
> If you really want to track external addresses use a tool outside
> of named and have it dynamically update the address in the DNS when
> it changes.
>
> Mark
>
> In message <[hidden email]>, Bill writes:
> > I was wondering if anyone has looked at or is is the process of adding
> > DNS ALG support, or something similar, to bind?
> >
> > https://tools.ietf.org/html/rfc2694
> >
> > What I would like to do to have the ability to query a DNS server located
> > behind a NAT, and have it return the IP of the NAT, and setup connection
> > tracking in the NAT to pass traffic thru to the host behind the NAT.  The
> > effect of this is to have a reversible NAT, ie one that provides access
> > to hosts behind the NAT, not by their IP, but by their hostname.
> >
> > (There are other things in DNS ALG, but I am really interesting only in
> > the reversible NAT aspect.)
> >
> > Implementing this seems to need the DNS server (bind in this case), to
> > configure the NAT using the 'expect' feature of connection tracking.
> > This would permit the following packets to traverse the NAT to the host,
> > provided of course they meet the expectation (source, protocol, etc).
> >
> > I'd like to know of anyone has looked at this, is implementing it, or
> > knows of any implementations.  I have looked into it but have only seen
> > enterprise implementations (Cisco & Juniper), but nothing open-source.
> >
> > /bill
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > [hidden email]
> > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Reindl Harald
In reply to this post by Bill
the DNS-ALG can't be handeled on the nameserver itself, it does not know
anything about the NAT, the device doing the NAT knows

hence the implementation is typically on the edge router

Am 30.10.2015 um 17:38 schrieb Bill:

> Thanks for your remarks.  What I am actually looking at is research in mobile
> networks where I'd like devices that may or may not be connected to be
> accessible by name.  The devices might have different IP addresses when they
> connect and I don't want any connection to them to be able to keep an old IP,
> or even know what their IP address is.  By that I mean they should appear as
> if they initiated the connection from behind the NAT.
>
> I picked up on the DNS-ALG spec as possibly addressing part of this and hoped
> if there was an implementation I'd start with it.  If there isn't anything to
> help, then I will have to look into implementing my own reversible NAT, using
> IPtables, NAT, connection tracking and whatever else I find useful.
>
> On Saturday 24 October 2015 17:06, Reindl Harald wrote:
>> you *really* do not want that
>>
>> have been punished more than one time by cisco routers having that crap
>> enabled and breaking DNS in various ways including mangle zone transfers
>> and set the TTL of every CNAME to 0 instead leave it untouched or just
>> break zone transfers silently at all
>>
>> setup internal and external DNS servers and keep in mind whith DNSSEC
>> that would not really work likely anyways
>>
>> Am 24.10.2015 um 22:49 schrieb Bill:
>>> I was wondering if anyone has looked at or is is the process of adding
>>> DNS ALG support, or something similar, to bind?
>>>
>>> https://tools.ietf.org/html/rfc2694
>>>
>>> What I would like to do to have the ability to query a DNS server located
>>> behind a NAT, and have it return the IP of the NAT, and setup connection
>>> tracking in the NAT to pass traffic thru to the host behind the NAT.  The
>>> effect of this is to have a reversible NAT, ie one that provides access
>>> to hosts behind the NAT, not by their IP, but by their hostname.
>>>
>>> (There are other things in DNS ALG, but I am really interesting only in
>>> the reversible NAT aspect.)
>>>
>>> Implementing this seems to need the DNS server (bind in this case), to
>>> configure the NAT using the 'expect' feature of connection tracking.
>>> This would permit the following packets to traverse the NAT to the host,
>>> provided of course they meet the expectation (source, protocol, etc).
>>>
>>> I'd like to know of anyone has looked at this, is implementing it, or
>>> knows of any implementations.  I have looked into it but have only seen
>>> enterprise implementations (Cisco & Juniper), but nothing open-source

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
I was thinking of doing the DNS and the NAT on the same device, then (I
assume) the DNS could use connection tracking hooks to add 'expectations' to
the NAT.  Anyhow, that was what I was hoping, but I've not been able to find
out much about anyone having done such a thing, so I might be dreaming.

/bill


On Sunday 01 November 2015 07:13, Reindl Harald wrote:

> the DNS-ALG can't be handeled on the nameserver itself, it does not know
> anything about the NAT, the device doing the NAT knows
>
> hence the implementation is typically on the edge router
>
> Am 30.10.2015 um 17:38 schrieb Bill:
> > Thanks for your remarks.  What I am actually looking at is research in
> > mobile networks where I'd like devices that may or may not be connected
> > to be accessible by name.  The devices might have different IP addresses
> > when they connect and I don't want any connection to them to be able to
> > keep an old IP, or even know what their IP address is.  By that I mean
> > they should appear as if they initiated the connection from behind the
> > NAT.
> >
> > I picked up on the DNS-ALG spec as possibly addressing part of this and
> > hoped if there was an implementation I'd start with it.  If there isn't
> > anything to help, then I will have to look into implementing my own
> > reversible NAT, using IPtables, NAT, connection tracking and whatever
> > else I find useful.
> >
> > On Saturday 24 October 2015 17:06, Reindl Harald wrote:
> >> you *really* do not want that
> >>
> >> have been punished more than one time by cisco routers having that crap
> >> enabled and breaking DNS in various ways including mangle zone transfers
> >> and set the TTL of every CNAME to 0 instead leave it untouched or just
> >> break zone transfers silently at all
> >>
> >> setup internal and external DNS servers and keep in mind whith DNSSEC
> >> that would not really work likely anyways
> >>
> >> Am 24.10.2015 um 22:49 schrieb Bill:
> >>> I was wondering if anyone has looked at or is is the process of adding
> >>> DNS ALG support, or something similar, to bind?
> >>>
> >>> https://tools.ietf.org/html/rfc2694
> >>>
> >>> What I would like to do to have the ability to query a DNS server
> >>> located behind a NAT, and have it return the IP of the NAT, and setup
> >>> connection tracking in the NAT to pass traffic thru to the host behind
> >>> the NAT.  The effect of this is to have a reversible NAT, ie one that
> >>> provides access to hosts behind the NAT, not by their IP, but by their
> >>> hostname.
> >>>
> >>> (There are other things in DNS ALG, but I am really interesting only in
> >>> the reversible NAT aspect.)
> >>>
> >>> Implementing this seems to need the DNS server (bind in this case), to
> >>> configure the NAT using the 'expect' feature of connection tracking.
> >>> This would permit the following packets to traverse the NAT to the
> >>> host, provided of course they meet the expectation (source, protocol,
> >>> etc).
> >>>
> >>> I'd like to know of anyone has looked at this, is implementing it, or
> >>> knows of any implementations.  I have looked into it but have only seen
> >>> enterprise implementations (Cisco & Juniper), but nothing open-source

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Carl Byington
In reply to this post by Bill
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
> What I would like to do to have the ability to query a DNS server
> located behind a NAT, and have it return the IP of the NAT, and setup
> connection tracking in the NAT to pass traffic thru to the host behind
> the NAT.

I think that is a bad idea, even if you can get it implemented and
working.

If I know the names of your hosts (they will eventually be found via
google or other searches), then I can remotely reconfigure your NAT
device to allow my attack traffic thru - and all it takes is a simple
UDP query to your dns server.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlY3668ACgkQL6j7milTFsGtdACffAMRw4DryIrJ9krqDfIFPqxa
A0UAnirkaQLYyZFeZe+G5C431yjEjzxc
=4A4M
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Dave Warren
On 2015-11-02 15:03, Carl Byington wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
>> >What I would like to do to have the ability to query a DNS server
>> >located behind a NAT, and have it return the IP of the NAT, and setup
>> >connection tracking in the NAT to pass traffic thru to the host behind
>> >the NAT.
> I think that is a bad idea, even if you can get it implemented and
> working.
>
> If I know the names of your hosts (they will eventually be found via
> google or other searches), then I can remotely reconfigure your NAT
> device to allow my attack traffic thru - and all it takes is a simple
> UDP query to your dns server.

And? NAT != firewall. Your firewall would still need to be configured to
permit such a connection, and presumably your NAT environment would need
to be configured to allow it as well.

If that's not desired, one would probably not enable this functionality.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Carl Byington
You are correct, but in the use case I am looking at there is no Internet
connection.  There are a small number of mobile devices (5-15) behind a NAT
gateway with DNS.  The gateway provides service to other small networks, but
there is nothing else connected, it is an isolated system.

What I am trying to do is to be able to connect to s specific device, say a
'supervisor' by name.  I don't know the IP, and their IP may change, or the
supervisor might be a service that isn't always provided by the same device.  
The IP will change and the DNS will be updated updated as needed

I don't want the device/user accessing the 'supervisor' to know the IP
address, other than the gateway IP, I don't want them to be able to save an
old IP.  Also, I don't what anyone watching the network (it is wireless) to
be able to see anything other than gateway addresses.

Basically, the device/user accessing the 'supervisor' should result in traffic
thru the gateway/NAT that looks as if the superviser initiated it, ie the
supervisor has been natted, and the reply IP is the gateway.

Not sure if I am going about this the right way, but that is my idea.  I
appreciate the comments I am receiving here, thanks.

/bill


On Monday 02 November 2015 18:03, Carl Byington wrote:

> On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
> > What I would like to do to have the ability to query a DNS server
> > located behind a NAT, and have it return the IP of the NAT, and setup
> > connection tracking in the NAT to pass traffic thru to the host behind
> > the NAT.
>
> I think that is a bad idea, even if you can get it implemented and
> working.
>
> If I know the names of your hosts (they will eventually be found via
> google or other searches), then I can remotely reconfigure your NAT
> device to allow my attack traffic thru - and all it takes is a simple
> UDP query to your dns server.
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Dave Warren
See my last posting on what I am trying to achieve, I think in the interest of
brevity I may have overly simplified my goal.

What I want is for the DNS query to automatically configure the NAT to permit
the outside connection.  In other words it should, after the DNS query, look
as if the named device had initiated the connection from inside that NAT.  My
last post explains the use case a bit better, I hope.

/bill


On Monday 02 November 2015 21:48, Dave Warren wrote:
> On 2015-11-02 15:03, Carl Byington wrote:

> And? NAT != firewall. Your firewall would still need to be configured to
> permit such a connection, and presumably your NAT environment would need
> to be configured to allow it as well.
>
> If that's not desired, one would probably not enable this functionality.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Mark Andrews

If you want this sort of behaviour you are going to have to pay
someone someone lots of money to add this sort of functionality to
a nameserver and then pay them more money to maintain it.  This
sort of thing does not exist in normal nameservers.

Nameservers don't normally do other things on DNS lookups.

Normally what one does is configure port forwarding in the NAT /
open a hole in the firewall.  Some NATs can update the DNS when
their external address changes other wise you need a NAT that
modifies DNS payloads and that is problematical in lots of ways.

NATs really are not something anyone sane wants in their network.
Anyone who says they do really doesn't understand IP security. They
are a necessary evil with IPv4 as we long ago ran out of addresses
to number every device uniquely.

Mark

In message <[hidden email]>, Bill writes:

> See my last posting on what I am trying to achieve, I think in the interest o
> f
> brevity I may have overly simplified my goal.
>
> What I want is for the DNS query to automatically configure the NAT to permit
>  
> the outside connection.  In other words it should, after the DNS query, look
> as if the named device had initiated the connection from inside that NAT.  My
>  
> last post explains the use case a bit better, I hope.
>
> /bill
>
>
> On Monday 02 November 2015 21:48, Dave Warren wrote:
> > On 2015-11-02 15:03, Carl Byington wrote:
>
> > And? NAT != firewall. Your firewall would still need to be configured to
> > permit such a connection, and presumably your NAT environment would need
> > to be configured to allow it as well.
> >
> > If that's not desired, one would probably not enable this functionality.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Grant Taylor
In reply to this post by Bill
On 11/04/2015 08:45 AM, Bill wrote:
> You are correct, but in the use case I am looking at there is no Internet
> connection.

I think "other network(s)" can substitute "Internet" in this context.

> What I am trying to do is to be able to connect to s specific device, say a
> 'supervisor' by name.  I don't know the IP, and their IP may change, or the
> supervisor might be a service that isn't always provided by the same device.  
> The IP will change and the DNS will be updated updated as needed

It sounds like you want to connect to the ""device that is currently
hosting a role with the role holding device being dynamic on top of
dynamic IPs.  Correct?

I'm going to assume that you have TTL taken into account.

> I don't want the device/user accessing the 'supervisor' to know the IP
> address, other than the gateway IP, I don't want them to be able to save an
> old IP.  Also, I don't what anyone watching the network (it is wireless) to
> be able to see anything other than gateway addresses.

Outside the NAT, everything will probably look like it's coming from the
NAT's single external IP.

Inside the NAT, you will see traffic to / from the ""supervising device
and from / to an IP outside of the WLAN.  -  So, clever people can
deduce what the surpevising device is from that.

Or were you doing to do something (SNAT?) to hide the external IP?

> Basically, the device/user accessing the 'supervisor' should result in traffic
> thru the gateway/NAT that looks as if the superviser initiated it, ie the
> supervisor has been natted, and the reply IP is the gateway.

I think I can guess what you mean, but I suspect that different network
people will interpret that statement differently.  Especially when
considering external access into a NATed device.

> Not sure if I am going about this the right way, but that is my idea.  I
> appreciate the comments I am receiving here, thanks.

I'm going to assume that we are discussing HTTP traffic for the time being.

I would run an HTTP reverse proxy that accepts the connection on the
outside of the NAT that would then proxy the traffic to the internal
""supervisor host name.

DNS would resolve the internal ""supervisor host name to what ever
device currently has the role and it's associated IP.

The reverse proxy would then initiate traffic from it's internal IP to
the proper supervising device.  Thus the traffic would appear to be sent
and received from addresses local to the network.

I also have questions about the traffic from the other non-supervisory
role devices.  ...  However, we are getting FAR removed from DNS.




--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Mark Andrews
Yes, to do a full implementation usable in an enterprise you are correct, but
what I am looking for is a small demo with only 10 machines or so.  I believe
your comment about IPv5 is correct too, but I am limited for this trial.

/bill


On Wednesday 04 November 2015 15:30, Mark Andrews wrote:

> If you want this sort of behaviour you are going to have to pay
> someone someone lots of money to add this sort of functionality to
> a nameserver and then pay them more money to maintain it.  This
> sort of thing does not exist in normal nameservers.
>
> Nameservers don't normally do other things on DNS lookups.
>
> Normally what one does is configure port forwarding in the NAT /
> open a hole in the firewall.  Some NATs can update the DNS when
> their external address changes other wise you need a NAT that
> modifies DNS payloads and that is problematical in lots of ways.
>
> NATs really are not something anyone sane wants in their network.
> Anyone who says they do really doesn't understand IP security. They
> are a necessary evil with IPv4 as we long ago ran out of addresses
> to number every device uniquely.
>
> Mark
>
> In message <[hidden email]>, Bill writes:
> > See my last posting on what I am trying to achieve, I think in the
> > interest o f
> > brevity I may have overly simplified my goal.
> >
> > What I want is for the DNS query to automatically configure the NAT to
> > permit
> >
> > the outside connection.  In other words it should, after the DNS query,
> > look as if the named device had initiated the connection from inside that
> > NAT.  My
> >
> > last post explains the use case a bit better, I hope.
> >
> > /bill
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Mark Andrews

In message <[hidden email]>, Bill writes:
> Yes, to do a full implementation usable in an enterprise you are correct, but
>  
> what I am looking for is a small demo with only 10 machines or so.  I believe
>  
> your comment about IPv5 is correct too, but I am limited for this trial.
>
> /bill

Then find a (home) router with NAT and the ability to send dynamic
updates and configure it as described below.  They exist and can
be purchased for less than USD100 and usually less that USD50.  You
may want to add a "_dns-update._udp.example.net SRV" record pointing
to the nameservers as someone convinced the router vendor(s) that
this is how you do it rather than that being a override to the
default of just sending to the nameservers for the record to be
updated.

The nameserver being updated can be inside the network.

If you don't want to buy a router you can use a Linux or BSD box
and configure the DHCP client to update the nameserver on renumbering.

I did that for many years with FreeBSD with two ethernet card,
running named and ISC's dhcp client using the dhcp client hooks.

Mark

> On Wednesday 04 November 2015 15:30, Mark Andrews wrote:
> > If you want this sort of behaviour you are going to have to pay
> > someone someone lots of money to add this sort of functionality to
> > a nameserver and then pay them more money to maintain it.  This
> > sort of thing does not exist in normal nameservers.
> >
> > Nameservers don't normally do other things on DNS lookups.
> >
> > Normally what one does is configure port forwarding in the NAT /
> > open a hole in the firewall.  Some NATs can update the DNS when
> > their external address changes other wise you need a NAT that
> > modifies DNS payloads and that is problematical in lots of ways.
> >
> > NATs really are not something anyone sane wants in their network.
> > Anyone who says they do really doesn't understand IP security. They
> > are a necessary evil with IPv4 as we long ago ran out of addresses
> > to number every device uniquely.
> >
> > Mark
> >
> > In message <[hidden email]>, Bill writes:
> > > See my last posting on what I am trying to achieve, I think in the
> > > interest o f
> > > brevity I may have overly simplified my goal.
> > >
> > > What I want is for the DNS query to automatically configure the NAT to
> > > permit
> > >
> > > the outside connection.  In other words it should, after the DNS query,
> > > look as if the named device had initiated the connection from inside that
> > > NAT.  My
> > >
> > > last post explains the use case a bit better, I hope.
> > >
> > > /bill
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Grant Taylor
On 11/05/2015 03:44 PM, Mark Andrews wrote:
> You may want to add a "_dns-update._udp.example.net SRV" record
> pointing to the nameservers as someone convinced the router vendor(s)
> that this is how you do it rather than that being a override to the
> default of just sending to the nameservers for the record to be
> updated.

I've run into multiple networks where the master name server is
inaccessible.  So, it's not possible for the Dynamic DNS client to send
updates there.

Further, some DNS servers will not forward Dynamic DNS updates.  (Bind
can be configured to forward Dynamic DNS updates quite easily.)



--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Mark Andrews

In message <[hidden email]>, Grant Taylor writes:

> On 11/05/2015 03:44 PM, Mark Andrews wrote:
> > You may want to add a "_dns-update._udp.example.net SRV" record
> > pointing to the nameservers as someone convinced the router vendor(s)
> > that this is how you do it rather than that being a override to the
> > default of just sending to the nameservers for the record to be
> > updated.
>
> I've run into multiple networks where the master name server is
> inaccessible.  So, it's not possible for the Dynamic DNS client to send
> updates there.

The UPDATE standard say ANY of the nameservers but to prefer the
server which matches the MNAME.

> Further, some DNS servers will not forward Dynamic DNS updates.  (Bind
> can be configured to forward Dynamic DNS updates quite easily.)

All of which is orthogonal to whether the router follows the standard
or not.

> --
> Grant. . . .
> unix || die
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [hidden email]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Grant Taylor
On 11/05/2015 10:13 PM, Mark Andrews wrote:
> The UPDATE standard say ANY of the nameservers but to prefer the
> server which matches the MNAME.

I have yet to find a DNS server that will support updates to a slave
server out of the box.

Bind slave servers can easily be configured forward Dynamic DNS updates
on to the master name server.  (Which may, or may not, be the MNAME server.)



--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Jan-Piet Mens
In reply to this post by Mark Andrews
Mark,

> may want to add a "_dns-update._udp.example.net SRV" record pointing
> to the nameservers as someone convinced the router vendor(s) that
> this is how you do it

Is this a standard? Other than [1], which insinuates it's an Apple-only
thing, the Goog turns up only 55 hits  for "_dns-update" and SRV. ;-)

Can you mention any other vendors which support the SRV RR for directing
updates?

        -JP

[1] http://fmepnet.org/osx_dyndns.html
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Adding DNS ALG support to Bind?

Bill
In reply to this post by Mark Andrews
Thanks for the suggestion.  My intention for now is to trial on a laptop as
that give me the maximum flexibility for testing.

/bill


On Thursday 05 November 2015 17:44, Mark Andrews wrote:

> In message <[hidden email]>, Bill writes:
> > Yes, to do a full implementation usable in an enterprise you are correct,
> > but
> >
> > what I am looking for is a small demo with only 10 machines or so.  I
> > believe
> >
> > your comment about IPv5 is correct too, but I am limited for this trial.
> >
> > /bill
>
> Then find a (home) router with NAT and the ability to send dynamic
> updates and configure it as described below.  They exist and can
> be purchased for less than USD100 and usually less that USD50.  You
> may want to add a "_dns-update._udp.example.net SRV" record pointing
> to the nameservers as someone convinced the router vendor(s) that
> this is how you do it rather than that being a override to the
> default of just sending to the nameservers for the record to be
> updated.
>
> The nameserver being updated can be inside the network.
>
> If you don't want to buy a router you can use a Linux or BSD box
> and configure the DHCP client to update the nameserver on renumbering.
>
> I did that for many years with FreeBSD with two ethernet card,
> running named and ISC's dhcp client using the dhcp client hooks.
>
> Mark
>
> > On Wednesday 04 November 2015 15:30, Mark Andrews wrote:
> > > If you want this sort of behaviour you are going to have to pay
> > > someone someone lots of money to add this sort of functionality to
> > > a nameserver and then pay them more money to maintain it.  This
> > > sort of thing does not exist in normal nameservers.
> > >
> > > Nameservers don't normally do other things on DNS lookups.
> > >
> > > Normally what one does is configure port forwarding in the NAT /
> > > open a hole in the firewall.  Some NATs can update the DNS when
> > > their external address changes other wise you need a NAT that
> > > modifies DNS payloads and that is problematical in lots of ways.
> > >
> > > NATs really are not something anyone sane wants in their network.
> > > Anyone who says they do really doesn't understand IP security. They
> > > are a necessary evil with IPv4 as we long ago ran out of addresses
> > > to number every device uniquely.
> > >
> > > Mark
> > >
> > > In message <[hidden email]>, Bill writes:
> > > > See my last posting on what I am trying to achieve, I think in the
> > > > interest o f
> > > > brevity I may have overly simplified my goal.
> > > >
> > > > What I want is for the DNS query to automatically configure the NAT
> > > > to permit
> > > >
> > > > the outside connection.  In other words it should, after the DNS
> > > > query, look as if the named device had initiated the connection from
> > > > inside that NAT.  My
> > > >
> > > > last post explains the use case a bit better, I hope.
> > > >
> > > > /bill
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
12