[CentOS] Re: iptables port forwarding -- name resolution and not forwarding/routing?

From: Johnny Hughes <mailing-lists at hughesjr.com>
> What I do is have an internal DNS server that does internal IPS for my
> domain (it is listed as Primary, no secondaries, for my domain).
> Internally, mail.hughesjr.com has the internal address .... externally
> it real address.
> Internal clients point to the internal DNS server (and internal IP) ...
> external clients point to the external IP.

Exactomundo.

In many cases, it's not a fowarding/routing issue, but a name resolution issue.
Private systems are resolving to public addresses, and you want to intercept
those from ever reaching a public DNS server.  That way you can replace the
public name/IP everyone else sees with just the private name/IP that the
private LAN should access.

That means using private DNS servers and _only_ having the private systems
resolving to them.  Use "forwarder" and other DNS configuration on the private
systems to do external resolution for the internal systems anyway.

In addition to solving this issue, you get 2 additional benefits:
- DNS cache pooling (all systems are resolving to 2-3 private DNS servers)
- UDP/53 restriction (only allow UDP/53 through firewall to those 2-3 private DNS servers)



--
Bryan J. Smith   mailto:b.j.smith at ieee.org