g4sra <g4...@protonmail.com> wrote: >> It is as simple as needing to connect to the server at different IPs (i.e. >> the internal IP from inside, the external IP from outside), but using the >> same URL ? > > In a nutshell, yes.
OK, then I'd use split horizon DNS - problem solved (but noting the comment made about Android). As also noted, SIP is one of the things that is well and truly screwed up by NAT - not that you'll find many NAT apologists admitting that. And in my experience, SIP ALGs (Application Level Gateways) can screw things up more than they fix. >> If so, then split horizon DNS is your friend - and I'm assuming that's >> what you are referring to when you say using BINDs response policy. > No. > > BIND's 'responce policy' is a, um, policy similar to a normal zone BUT > anything in this zone can mask a real resolve from occurring. I hadn't seen that one, it's newer than when I last setup a BIND server. >> Some will tell you that it's wrong - but as long as we have NAT then it's a >> decent and reliable workaround for the breakage that NAT causes. > The reason it is wrong is...your internal DNS server is exposed to to a > higher hacking threat than if you had two separate servers, with the one in > the DMZ serving external queries and the internal one on the local lan behind > a secondary firewall. It can be done with two different servers, and that's (sort of) actually how I have it. My own server is not internet accessible other than from secondary servers at a hosting company which publicly host my external zone for me. But the reason I was told, with absolute certainty" by a supposedly professional consultant is that firstly I should not have different servers with the same name - e.g. internal and external web server for the same domain. But mostly, I should not be running my own DNS because only our ISP could keep our zone up to date ! In hindsight, with a little effort and guided learning I could have been a consultant with that sort of job - except that I never had, and never had the desire to have, the gift of "bulls**tting my way through anything". Simon _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
