We have an old Cisco gateway/router that I can’t get hairpinning to work on, so I thought I could solve my problem through DNS, as I’m already using one of our OpenSUSE machines as DNS server.
Say our external public domain is rgbastpqxyzw.com.com. In the LAN DNS server’s settings I have lan.rgbastpqxyzw.com which has the records for various internal services. That works fine.
Now, the gateway/router port forwards several ports for two different internal servers. I want client programs that are run from outside and access rgbastpqxyzw.com:12345 and rgbastpqxyzw.com:54321 to be able to work from inside the LAN without needing to change the addresses to LAN IPs. How can I do that with DNS when ports 12345 and 54321 go to different machines inside the LAN?
On 03/28/2014 10:26 PM, Prune pecked at the keyboard and wrote:
> We have an old Cisco gateway/router that I can’t get hairpinning to work
> on, so I thought I could solve my problem through DNS, as I’m already
> using one of our OpenSUSE machines as DNS server.
>
> Say our external public domain is rgbastpqxyzw.com.com. In the LAN DNS
> server’s settings I have lan.rgbastpqxyzw.com which has the records for
> various internal services. That works fine.
>
> Now, the gateway/router port forwards several ports for two different
> internal servers. I want client programs that are run from outside and
> access rgbastpqxyzw.com:12345 and rgbastpqxyzw.com:54321 to be able to
> work from inside the LAN without needing to change the addresses to LAN
> IPs. How can I do that with DNS when ports 12345 and 54321 go to
> different machines inside the LAN?
>
> Why, yes, I am a networking newbie…
>
>
Forward port 12345 to (local IP) xxx.xxx.xxx.xxx
Then when a connection request comes to your router/gateway for port
12345 it will always go to the specified machine.
A few things…
What you’re asking for is “split DNS” - A resource is accessible by a Public IP address but is also accessible by a different Private address. If a client is configured to use a Public DNS, the client will be issued the Public IP address. If the client is configured to point to a Private DNS, the Private DNS will not forward the request to the Public DNS, instead it will serve the Private IP address from a zone configured locally on the DNS server.
The resource itself might have only a Private IP address if the GW FW is forwarding and translating, or could be a multi-homed machine with separate physical NICs facing publicly and privately. Or, there could be some weird configuration of multiple addresses on the same physical NIC.
The whole idea of avoiding hair-pinning runs counter to your request
… be able to work from inside the LAN without needing to change the addresses to LAN IPs
– Hair-pinning means that your clients are trying to access the resource using the Public IP address which requires the hairpin. Only by changing the resource to be accessed by a LAN IP can the hairpin be avoided.
Whether the resource machine(s) are the same(most typical if the GW FW is forwarding and translating) or different is irrelevant. The LAN DNS would point to whatever address you wish.