DNS Request Redirection [7:35703]
I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35703&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
consider that the DNS request packet has a destination address of the server of your former ISP. what you are trying to accomplish, if I understand you correctly, is to change that destination address. Policy routing can change the next hop, but it cannot change the destination IP of the packet in question. why not leave well enough alone? is there any reason DNS is not being answered by the servers of your former ISP? Do they filter DNS requests from sources not in their space? If not, everyone is happy. If so, then your choices are to visit each machine and physically change the DNS information, or to set up DHCP, and then visit each machine to physically set up DHCP on them. Chuck ""Michael Hair"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I was wondering what is the best way to take care of the following: > > I have been using a private address space behind a Cisco 4500 router > connected up to our current ISP using NAT, now we want to move our > connection from our current ISP to a new ISP with better bandwidth. My > problem is that we don't want to change all our client machines TCP/IP > settings, which are all static, for some reason or another they were all > setup to use our ISP's DNS. Not my idea but that another problem. So how can > I setup our router to forward requests looking from our current ISP's DNS to > our new ISP's DNS without touching all the client machines. > > Would the best way be to use policy-base routing? > > Would a static route work? > > Could I use a static route under NAT? > > If someone could proved me a sample of how you could do this I would be > greatful... > > Thanks > Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35704&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] > I was wondering what is the best way to take care of the following: > > I have been using a private address space behind a Cisco 4500 router > connected up to our current ISP using NAT, now we want to move our > connection from our current ISP to a new ISP with better bandwidth. My > problem is that we don't want to change all our client machines TCP/IP > settings, which are all static, for some reason or another they were all > setup to use our ISP's DNS. Not my idea but that another problem. So how can > I setup our router to forward requests looking from our current ISP's DNS to > our new ISP's DNS without touching all the client machines. > > Would the best way be to use policy-base routing? > > Would a static route work? > > Could I use a static route under NAT? > > If someone could proved me a sample of how you could do this I would be > greatful... > > Thanks > Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35718&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: > > You can still use your former ISP's DNS records while using the new ISP's > bandwidth. It does not matter who owns the DNS server. Everybody have access > to it once they are in the internet. Except when they are specifically > filtered. > > The only drawn back is that, Your new ISP have to forward the packet in a > round trip to the old ISP's network through the internet before they are > resolved and sent back to you machine, had it been you are using the DNS of > your new ISP, these request would stop there. Do not loose your sleep, > because at the worst these delays are in milisseconds and not easily > noticeable by the eye, more each machine have a cache so it does not forward > every request. Great if you have a Cache Engine to compliment the machine's > cache. > > Whatever, you are kool and everything will be fine, switch to your new ISP > and enjoy. > > Regards. > Oletu > - Original Message - > From: Michael Hair > To: > Sent: Sunday, February 17, 2002 8:07 PM > Subject: DNS Request Redirection [7:35703] > > > I was wondering what is the best way to take care of the following: > > > > I have been using a private address space behind a Cisco 4500 router > > connected up to our current ISP using NAT, now we want to move our > > connection from our current ISP to a new ISP with better bandwidth. My > > problem is that we don't want to change all our client machines TCP/IP > > settings, which are all static, for some reason or another they were all > > setup to use our ISP's DNS. Not my idea but that another problem. So how > can > > I setup our router to forward requests looking from our current ISP's DNS > to > > our new ISP's DNS without touching all the client machines. > > > > Would the best way be to use policy-base routing? > > > > Would a static route work? > > > > Could I use a static route under NAT? > > > > If someone could proved me a sample of how you could do this I would be > > greatful... > > > > Thanks > > Michael > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35743&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
At 05:11 AM 2/18/02, Godswill HO wrote: >You can still use your former ISP's DNS records while using the new ISP's >bandwidth. It does not matter who owns the DNS server. Everybody have access >to it once they are in the internet. Except when they are specifically >filtered. > >The only drawn back is that, Your new ISP have to forward the packet in a >round trip to the old ISP's network through the internet before they are >resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. >had it been you are using the DNS of >your new ISP, these request would stop there. Do not loose your sleep, >because at the worst these delays are in milisseconds and not easily >noticeable by the eye, more each machine have a cache so it does not forward >every request. Great if you have a Cache Engine to compliment the machine's >cache. > >Whatever, you are kool and everything will be fine, switch to your new ISP >and enjoy. > >Regards. >Oletu >- Original Message - >From: Michael Hair >To: >Sent: Sunday, February 17, 2002 8:07 PM >Subject: DNS Request Redirection [7:35703] > > > > I was wondering what is the best way to take care of the following: > > > > I have been using a private address space behind a Cisco 4500 router > > connected up to our current ISP using NAT, now we want to move our > > connection from our current ISP to a new ISP with better bandwidth. My > > problem is that we don't want to change all our client machines TCP/IP > > settings, which are all static, for some reason or another they were all > > setup to use our ISP's DNS. Not my idea but that another problem. So how >can > > I setup our router to forward requests looking from our current ISP's DNS >to > > our new ISP's DNS without touching all the client machines. > > > > Would the best way be to use policy-base routing? > > > > Would a static route work? > > > > Could I use a static route under NAT? > > > > If someone could proved me a sample of how you could do this I would be > > greatful... > > > > Thanks > > Michael >_ >Do You Yahoo!? >Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35750&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 05:11 AM 2/18/02, Godswill HO wrote: > >You can still use your former ISP's DNS records while using the new ISP's > >bandwidth. It does not matter who owns the DNS server. Everybody have access > >to it once they are in the internet. Except when they are specifically > >filtered. > > > >The only drawn back is that, Your new ISP have to forward the packet in a > >round trip to the old ISP's network through the internet before they are > >resolved and sent back to you machine, > > It would depend on what records they are accessing. If the users are going > to the Internet and accessing sites such as www.cisco.com and > www.groupstudy.com, for example, the DNS queries don't have to go back to > the original ISP. > > >had it been you are using the DNS of > >your new ISP, these request would stop there. Do not loose your sleep, > >because at the worst these delays are in milisseconds and not easily > >noticeable by the eye, more each machine have a cache so it does not forward > >every request. Great if you have a Cache Engine to compliment the machine's > >cache. > > > >Whatever, you are kool and everything will be fine, switch to your new ISP > >and enjoy. > > > >Regards. > >Oletu > >- Original Message - > >From: Michael Hair > >To: > >Sent: Sunday, February 17, 2002 8:07 PM > >Subject: DNS Request Redirection [7:35703] > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > I have been using a private address space behind a Cisco 4500 router > > > connected up to our current ISP using NAT, now we want to move our > > > connection from our current ISP to a new ISP with better bandwidth. My > > > problem is that we don't want to change all our client machines TCP/IP > > > settings, which are all static, for some reason or another they were all > > > setup to use our ISP's DNS. Not my idea but that another problem. So how > >can > > > I setup our router to forward requests looking from our current ISP's DNS > >to > > > our new ISP's DNS without touching all the client machines. > > > > > > Would the best way be to use policy-base routing? > > > > > > Would a static route work? > > > > > > Could I use a static route under NAT? > > > > > > If someone could proved me a sample of how you could do this I would be > > > greatful... > > > > > > Thanks > > > Michael > >_ > >Do You Yahoo!? > >Get your free @yahoo.com address at http://mail.yahoo.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35755&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: >Any decent ISP will refuse DNS recursion from any IP address that is not >within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla > This is fundamental to DNS security. >You need to rewrite the destination IP address. Note that Cisco's NAT >is not suitable for this because of the DNS ALG. The easiest thing to >do may be to provide an on-site cacheing DNS using the old ISPs DNS >addresses. If you've got a lot of workstations and a decent bandwidth >to the Internet, you will probably find that running your own DNS cache >will be more satisfactory anyway. >rgds >Marc TXK > > >Godswill HO wrote: > > > > You can still use your former ISP's DNS records while using the new ISP's > > bandwidth. It does not matter who owns the DNS server. Everybody have >access > > to it once they are in the internet. Except when they are specifically > > filtered. > > > > The only drawn back is that, Your new ISP have to forward the packet in a > > round trip to the old ISP's network through the internet before they are > > resolved and sent back to you machine, had it been you are using the DNS of > > your new ISP, these request would stop there. Do not loose your sleep, > > because at the worst these delays are in milisseconds and not easily > > noticeable by the eye, more each machine have a cache so it does not >forward > > every request. Great if you have a Cache Engine to compliment the machine's > > cache. > > > > Whatever, you are kool and everything will be fine, switch to your new ISP > > and enjoy. > > > > Regards. > > Oletu > > - Original Message - > > From: Michael Hair > > To: > > Sent: Sunday, February 17, 2002 8:07 PM > > Subject: DNS Request Redirection [7:35703] > > > > > I was wondering what is the best way to take care of the following: > > > > > > I have been using a private address space behind a Cisco 4500 router > > > connected up to our current ISP using NAT, now we want to move our > > > connection from our current ISP to a new ISP with better bandwidth. My > > > problem is that we don't want to change all our client machines TCP/IP > > > settings, which are all static, for some reason or another they were all > > > setup to use our ISP's DNS. Not my idea but that another problem. So how > > can > > > I setup our router to forward requests looking from our current ISP's DNS > > to > > > our new ISP's DNS without touching all the client machines. > > > > > > Would the best way be to use policy-base routing? > > > > > > Would a static route work? > > > > > > Could I use a static route under NAT? > > > > > > If someone could proved me a sample of how you could do this I would be > > > greatful... > > > > > > Thanks > > > Michael > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35757&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > >Any decent ISP will refuse DNS recursion from any IP address that is not > >within its own address space. > > He wasn't asking about recursion. He was asking about the initial query > from the end host. Although I could believe you that a service provider > should make sure these queries only come from customers, my experience is > that service providers don't do this. I can set my PC to use a variety of > DNS servers around the Internet and it works. > > I think it's because it's tricky to do, especially for small ISPs. Some > ISPs might have only one DNS server. The same server that provides DNS > services to Internet-access customers may also be the authority for various > names managed by the ISP. The ISP may be doing Web hosting and be the > authority for a bunch of names. In that case, it can't filter out DNS > queries coming from the Internet. > > For example, say your PC asks your local DNS server to resolve > www.priscilla.com. Your server can't do it. It asks its upstream server, > probably one of the root servers. The root server figures out that > petiteisp.com owns www.priscilla.com and tells your server the IP address > of the authoritative name server at petiteisp.com. Your server queries > petiteisp.com which gives your server the IP address for www.priscilla.com. > Your server finally responds to your PC. > > Notice that the query to petiteisp.com came from some unexpected IP address > that can't be anticipated in a filter. If petiteisp.com had a filter to > allow queries only from its customers, the query from your server would > have failed. > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > ISPs have more than one DNS server, one for Internet access customers, and > one that is the authority for names owned by the ISP. > > Priscilla > > > This is fundamental to DNS security. > >You need to rewrite the destination IP address. Note that Cisco's NAT > >is not suitable for this because of the DNS ALG. The easiest thing to > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > >addresses. If you've got a lot of workstations and a decent bandwidth > >to the Internet, you will probably find that running your own DNS cache > >will be more satisfactory anyway. > >rgds > >Marc TXK > > > > > >Godswill HO wrote: > > > > > > You can still use your former ISP's DNS records while using the new ISP's > > > bandwidth. It does not matter who owns the DNS server. Everybody have > >access > > > to it once they are in the internet. Except when they are specifically > > > filtered. > > > > > > The only drawn back is that, Your new ISP have to forward the packet in a > > > round trip to the old ISP's network through the internet before they are > > > resolved and sent back to you machine, had it been you are using the DNS > of > > > your new ISP, these request would stop there. Do not loose your sleep, > > > because at the worst these delays are in milisseconds and not easily > > > noticeable by the eye, more each machine have a cache so it does not > >forward > > > every request. Great if you have a Cache Engine to compliment the > machine's > > > cache. > > > > > > Whatever, you are kool and everything will be fine, switch to your new > ISP > > > and enjoy. > > > > > > Regards. > > > Oletu > > > - Original Message - > > > From: Michael Hair > > > To: > > > Sent: Sunday, February 17, 2002 8:07 PM > > > Subject: DNS Request Redirection [7:35703] > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > I have been using a private address space behind a Cisco 4500 router > > > > connected up to our current ISP using NAT, now we want to move our > > > > connection from our current ISP to a new ISP with better bandwidth. My > > > > problem is that we don't want to change all our client
RE: DNS Request Redirection [7:35703]
Out of curiosity, what is the "best practice" for someone who has a DNS server on their private network with a private IP address? How would one go about doing this with a router? Is it impossible? Is the "best practice"/only possibly way to have the DNS server having a public IP address (in a DMZ)? Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 13:16 To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35772&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: >the simple way to test this would be to set your workstation with some other >ISP's DNS address, and see how things go. In one of my posts I provided the >real IP of an active DNS server. Someone want to give it a try? or post one >that you know about. I'll be happy to test. > >I wish the guy who posted the original question would get back to us with >his results. > >Chuck > >""Priscilla Oppenheimer"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > >within its own address space. > > > > He wasn't asking about recursion. He was asking about the initial query > > from the end host. Although I could believe you that a service provider > > should make sure these queries only come from customers, my experience is > > that service providers don't do this. I can set my PC to use a variety of > > DNS servers around the Internet and it works. > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > ISPs might have only one DNS server. The same server that provides DNS > > services to Internet-access customers may also be the authority for >various > > names managed by the ISP. The ISP may be doing Web hosting and be the > > authority for a bunch of names. In that case, it can't filter out DNS > > queries coming from the Internet. > > > > For example, say your PC asks your local DNS server to resolve > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > probably one of the root servers. The root server figures out that > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > of the authoritative name server at petiteisp.com. Your server queries > > petiteisp.com which gives your server the IP address for >www.priscilla.com. > > Your server finally responds to your PC. > > > > Notice that the query to petiteisp.com came from some unexpected IP >address > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > allow queries only from its customers, the query from your server would > > have failed. > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > ISPs have more than one DNS server, one for Internet access customers, and > > one that is the authority for names owned by the ISP. > > > > Priscilla > > > > > This is fundamental to DNS security. > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > >is not suitable for this because of the DNS ALG. The easiest thing to > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > >addresses. If you've got a lot of workstations and a decent bandwidth > > >to the Internet, you will probably find that running your own DNS cache > > >will be more satisfactory anyway. > > >rgds > > >Marc TXK > > > > > > > > >Godswill HO wrote: > > > > > > > > You can still use your former ISP's DNS records while using the new >ISP's > > > > bandwidth. It does not matter who owns the DNS server. Everybody have > > >access > > > > to it once they are in the internet. Except when they are specifically > > > > filtered. > > > > > > > > The only drawn back is that, Your new ISP have to forward the packet >in a > > > > round trip to the old ISP's network through the internet before they >are > > > > resolved and sent back to you machine, had it been you are using the >DNS > > of > > > > your new ISP, these request would stop there. Do not loose your sleep, > > > > because at the worst these delays are in milisseconds and not easily > > > > noticeable by the eye, more each machine have a cache so it does not > > >forward > > > > every request. Great if you have a Cache Engine to compliment the > > machine's > > > > cache. > > > > > > > > Whatever, you are kool and everything will be fine, switch to your new > > ISP > > > > and enjoy. > > > > > > >
Re: DNS Request Redirection [7:35703]
thanks, Cil. I guess we can lay this one to rest. the network in question probably needs make no changes and life will be dandy. Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yes, I can use that DNS server that you mentioned without any problem. I > have my PC set to use it right now. And I know of others that anyone can > use too, but I'm not going to give details in case they would not like this > info to get out. ;-) > > Priscilla > > At 03:24 PM 2/18/02, Chuck wrote: > >the simple way to test this would be to set your workstation with some other > >ISP's DNS address, and see how things go. In one of my posts I provided the > >real IP of an active DNS server. Someone want to give it a try? or post one > >that you know about. I'll be happy to test. > > > >I wish the guy who posted the original question would get back to us with > >his results. > > > >Chuck > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > > >within its own address space. > > > > > > He wasn't asking about recursion. He was asking about the initial query > > > from the end host. Although I could believe you that a service provider > > > should make sure these queries only come from customers, my experience is > > > that service providers don't do this. I can set my PC to use a variety of > > > DNS servers around the Internet and it works. > > > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > > ISPs might have only one DNS server. The same server that provides DNS > > > services to Internet-access customers may also be the authority for > >various > > > names managed by the ISP. The ISP may be doing Web hosting and be the > > > authority for a bunch of names. In that case, it can't filter out DNS > > > queries coming from the Internet. > > > > > > For example, say your PC asks your local DNS server to resolve > > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > > probably one of the root servers. The root server figures out that > > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > > of the authoritative name server at petiteisp.com. Your server queries > > > petiteisp.com which gives your server the IP address for > >www.priscilla.com. > > > Your server finally responds to your PC. > > > > > > Notice that the query to petiteisp.com came from some unexpected IP > >address > > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > > allow queries only from its customers, the query from your server would > > > have failed. > > > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > > ISPs have more than one DNS server, one for Internet access customers, > and > > > one that is the authority for names owned by the ISP. > > > > > > Priscilla > > > > > > > This is fundamental to DNS security. > > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > > >is not suitable for this because of the DNS ALG. The easiest thing to > > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > > >addresses. If you've got a lot of workstations and a decent bandwidth > > > >to the Internet, you will probably find that running your own DNS cache > > > >will be more satisfactory anyway. > > > >rgds > > > >Marc TXK > > > > > > > > > > > >Godswill HO wrote: > > > > > > > > > > You can still use your former ISP's DNS records while using the new > >ISP's > > > > > bandwidth. It does not matter who owns the DNS server. Everybody have > > > >access > > > > > to it once they are in the internet. Except when they are > specifically > > > > > filtered. > > > > > > > > > > The only drawn back is that, Your new ISP have to forward the packet > >in a > > > > > round trip to the old ISP's network through the internet before they > >are > > > > > resolved and sent back to you
Re: DNS Request Redirection [7:35703]
Thanks for everyone who responded. I did some testing and here is what I found. Our current ISP's DNS is not reachable from the outside world it seems that we use an internal DNS server which then forwards the request to the internal side of there firewall which forwards to there external DNS and then out to the world. I have tested using our new ISP's DNS server from our old ISP connections and it seems to work just fine. It looks like I will need to touch every machine and correct there DNS entries. So if I must go to each workstation that I will just stand up a DHCP server. This correct the problem once and for all. That way if anything changes DNS, Subnet, IP address I will be able to change it on the server and be done with it. It would make life alot simpler. Thanks again for everyones input... Michael ""Michael Hair"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I was wondering what is the best way to take care of the following: > > I have been using a private address space behind a Cisco 4500 router > connected up to our current ISP using NAT, now we want to move our > connection from our current ISP to a new ISP with better bandwidth. My > problem is that we don't want to change all our client machines TCP/IP > settings, which are all static, for some reason or another they were all > setup to use our ISP's DNS. Not my idea but that another problem. So how can > I setup our router to forward requests looking from our current ISP's DNS to > our new ISP's DNS without touching all the client machines. > > Would the best way be to use policy-base routing? > > Would a static route work? > > Could I use a static route under NAT? > > If someone could proved me a sample of how you could do this I would be > greatful... > > Thanks > Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35779&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
not to add any heat underneath anyone behind, but I routinely use UUNET/Mindspring/Earthlink/Qwest... (their caching of course) to be honest with you, I have never run into an isp that wouldn't allow lookups from external hosts... I mean...for authoratative servers, how would you propagate your zones without allowing lookups from other caching servers? Unless you restricted lookups from root servers only...But wouldn't that be kinda unefficient? -Patrick >>> "Priscilla Oppenheimer" 02/18/02 03:50PM >>> Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: >the simple way to test this would be to set your workstation with some other >ISP's DNS address, and see how things go. In one of my posts I provided the >real IP of an active DNS server. Someone want to give it a try? or post one >that you know about. I'll be happy to test. > >I wish the guy who posted the original question would get back to us with >his results. > >Chuck > >""Priscilla Oppenheimer"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > >within its own address space. > > > > He wasn't asking about recursion. He was asking about the initial query > > from the end host. Although I could believe you that a service provider > > should make sure these queries only come from customers, my experience is > > that service providers don't do this. I can set my PC to use a variety of > > DNS servers around the Internet and it works. > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > ISPs might have only one DNS server. The same server that provides DNS > > services to Internet-access customers may also be the authority for >various > > names managed by the ISP. The ISP may be doing Web hosting and be the > > authority for a bunch of names. In that case, it can't filter out DNS > > queries coming from the Internet. > > > > For example, say your PC asks your local DNS server to resolve > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > probably one of the root servers. The root server figures out that > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > of the authoritative name server at petiteisp.com. Your server queries > > petiteisp.com which gives your server the IP address for >www.priscilla.com. > > Your server finally responds to your PC. > > > > Notice that the query to petiteisp.com came from some unexpected IP >address > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > allow queries only from its customers, the query from your server would > > have failed. > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > ISPs have more than one DNS server, one for Internet access customers, and > > one that is the authority for names owned by the ISP. > > > > Priscilla > > > > > This is fundamental to DNS security. > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > >is not suitable for this because of the DNS ALG. The easiest thing to > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > >addresses. If you've got a lot of workstations and a decent bandwidth > > >to the Internet, you will probably find that running your own DNS cache > > >will be more satisfactory anyway. > > >rgds > > >Marc TXK > > > > > > > > >Godswill HO wrote: > > > > > > > > You can still use your former ISP's DNS records while using the new >ISP's > > > > bandwidth. It does not matter who owns the DNS server. Everybody have > > >access > > > > to it once they are in the internet. Except when they are specifically > > > > filtered. > > > > > > > > The only drawn back is that, Your new ISP have to forward the packet >in a > > > > round trip to the old ISP's network through the internet before they >are > > > > resolved and sent back to you machine, had it been you are using the >DNS > > of > > > > your new ISP, these request would stop there
Re: DNS Request Redirection [7:35703]
asiest thing to
> > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS
> > > >addresses. If you've got a lot of workstations and a decent bandwidth
> > > >to the Internet, you will probably find that running your own DNS
cache
> > > >will be more satisfactory anyway.
> > > >rgds
> > > >Marc TXK
> > > >
> > > >
> > > >Godswill HO wrote:
> > > > >
> > > > > You can still use your former ISP's DNS records while using the new
> >ISP's
> > > > > bandwidth. It does not matter who owns the DNS server. Everybody
have
> > > >access
> > > > > to it once they are in the internet. Except when they are
>specifically
> > > > > filtered.
> > > > >
> > > > > The only drawn back is that, Your new ISP have to forward the
packet
> >in a
> > > > > round trip to the old ISP's network through the internet before
they
> >are
> > > > > resolved and sent back to you machine, had it been you are using
the
> >DNS
> > > of
> > > > > your new ISP, these request would stop there. Do not loose your
>sleep,
> > > > > because at the worst these delays are in milisseconds and not
easily
> > > > > noticeable by the eye, more each machine have a cache so it does
not
> > > >forward
> > > > > every request. Great if you have a Cache Engine to compliment the
> > > machine's
> > > > > cache.
> > > > >
> > > > > Whatever, you are kool and everything will be fine, switch to your
>new
> > > ISP
> > > > > and enjoy.
> > > > >
> > > > > Regards.
> > > > > Oletu
> > > > > - Original Message -
> > > > > From: Michael Hair
> > > > > To:
> > > > > Sent: Sunday, February 17, 2002 8:07 PM
> > > > > Subject: DNS Request Redirection [7:35703]
> > > > >
> > > > > > I was wondering what is the best way to take care of the
following:
> > > > > >
> > > > > > I have been using a private address space behind a Cisco 4500
>router
> > > > > > connected up to our current ISP using NAT, now we want to move
our
> > > > > > connection from our current ISP to a new ISP with better
bandwidth.
> >My
> > > > > > problem is that we don't want to change all our client machines
> >TCP/IP
> > > > > > settings, which are all static, for some reason or another they
>were
> > > all
> > > > > > setup to use our ISP's DNS. Not my idea but that another problem.
>So
> > > how
> > > > > can
> > > > > > I setup our router to forward requests looking from our current
> >ISP's
> > > DNS
> > > > > to
> > > > > > our new ISP's DNS without touching all the client machines.
> > > > > >
> > > > > > Would the best way be to use policy-base routing?
> > > > > >
> > > > > > Would a static route work?
> > > > > >
> > > > > > Could I use a static route under NAT?
> > > > > >
> > > > > > If someone could proved me a sample of how you could do this I
>would
> >be
> > > > > > greatful...
> > > > > >
> > > > > > Thanks
> > > > > > Michael
> > > > > _
> > > > > Do You Yahoo!?
> > > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > Priscilla Oppenheimer
> > > http://www.priscilla.com
>
>
>Priscilla Oppenheimer
>http://www.priscilla.com
> >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files
transmitted with it may contain confidential and
>/or proprietary information in the possession of WellStar Health System,
>Inc. ("WellStar") and is intended only for the individual or entity to
>whom addressed. This email may contain information that is held to be
>privileged, confidential and exempt from disclosure under applicable law.
>If the reader of this message is not the intended recipient, you are
>hereby notified that any unauthorized access, dissemination, distribution
>or copying of any information from this email is strictly prohibited, and
>may subject you to criminal and/or civil liability. If you have received
>this email in error, please notify the sender by reply email and then
>delete this email and its attachments from your computer. Thank you.
>
>
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35784&t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Request Redirection [7:35703]
Chuck, et al., One DNS Server IP that I've used for years when I don't have a specific IP given when doing installations for customers, i.e., they don't tell me any additional info in regards to whether or not their ISP told them to use X.X.X.X and Y.Y.Y.Y for their client DNS settings, is a UUNet DNS Cache server: 198.6.1.2 Never had any problems with it yet. But then again, I don't keep them on that DNS Setting... It's usually just for initial install/test for DNS /Internet connectivity. Then I go get the rest of the information. And again, these steps are only performed this way when the customer contact is quite busy, and disappears on me within minutes of me confirming my arrival to work, or they have the classic response of "Uh, I'm not sure right now... lemme go try to dig that info up in our paperwork..." and they still don't come back for an extended period of time. Otherwise, I work efficiently, and request all of the specific configuration info up front as part of the install plan. :) SO.. Give the UUNet Caching server a spin, and let us know if it fails certain queries. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 2:25 PM To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > >Any decent ISP will refuse DNS recursion from any IP address that is not > >within its own address space. > > He wasn't asking about recursion. He was asking about the initial query > from the end host. Although I could believe you that a service provider > should make sure these queries only come from customers, my experience is > that service providers don't do this. I can set my PC to use a variety of > DNS servers around the Internet and it works. > > I think it's because it's tricky to do, especially for small ISPs. Some > ISPs might have only one DNS server. The same server that provides DNS > services to Internet-access customers may also be the authority for various > names managed by the ISP. The ISP may be doing Web hosting and be the > authority for a bunch of names. In that case, it can't filter out DNS > queries coming from the Internet. > > For example, say your PC asks your local DNS server to resolve > www.priscilla.com. Your server can't do it. It asks its upstream server, > probably one of the root servers. The root server figures out that > petiteisp.com owns www.priscilla.com and tells your server the IP address > of the authoritative name server at petiteisp.com. Your server queries > petiteisp.com which gives your server the IP address for www.priscilla.com. > Your server finally responds to your PC. > > Notice that the query to petiteisp.com came from some unexpected IP address > that can't be anticipated in a filter. If petiteisp.com had a filter to > allow queries only from its customers, the query from your server would > have failed. > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > ISPs have more than one DNS server, one for Internet access customers, and > one that is the authority for names owned by the ISP. > > Priscilla > > > This is fundamental to DNS security. > >You need to rewrite the destination IP address. Note that Cisco's NAT > >is not suitable for this because of the DNS ALG. The easiest thing to > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > >addresses. If you've got a lot of workstations and a decent bandwidth > >to the Internet, you will probably find that running your own DNS cache > >will be more satisfactory anyway. > >rgds > >Marc TXK > > > > > >Godswill HO wrote: > > > > > > You can still use your former ISP's DNS records while using the new ISP's > > > bandwidth. It does not matter who owns the DNS server. Everybody have > >access > > > to it once they are in the internet. Except when they are specifically > > > filtered. > > > > > > The only drawn back is that, Your new ISP have to forward the packet in a > > > round trip to the old ISP's network through the internet before they are > >
Re: DNS Request Redirection [7:35703]
Oh, sorry, I misunderstood his comment about forwarding. Yes, the new ISP has to send the packets to the old ISP because the users are using the old ISP's DNS server. As you say, this should work unless the old ISP denies requests coming from sources outside its IP address range. (And that may not be the case, see my other comment! ;-) Priscilla At 02:16 PM 2/18/02, Chuck wrote: >hhmmm. > >as I understand the original question, each workstation in the network in >question is hard coded for DNS. > >So, if for example, my machine is hard coded for DNS server 207.126.96.162 >( my ISP DNS server ) and I change ISP's, and make no changes to my >workstation, then any DNS request will have a destination address of >207.126.96.162 > >The question, as I understand, if how to change that destination address >without making workstation visits. > >Policy routing can change next hop, but not destination address. NAT >outbound changes source address, not destination address. > >Unless there is a packet interceptor that takes all DNS requests, and >physically changes the destination address, the user has few options. > >Again, IF the former ISP does not restrict DNS requests to its own address >space, i.e. accepts DNS requests from anywhere, then there is no problem, >and no changes need be made. > >However IF ( and this would be good practice for a lot of reasons ) the >former ISP does indeed restrict DNS requests to source addresses within its >own space, then there will have to be additional changes on the user >network. > >This whole discussion illustrates why people SHOULD follow best practice >from the get go. If they want to hard code IP's, then I believe DHCP can be >configured so that it provides only DNS info and default gateway info, for >example. the people who have insisted that their network hard code >everything are now learning the hard lesson. > >Chuck > > >""Priscilla Oppenheimer"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 05:11 AM 2/18/02, Godswill HO wrote: > > >You can still use your former ISP's DNS records while using the new ISP's > > >bandwidth. It does not matter who owns the DNS server. Everybody have >access > > >to it once they are in the internet. Except when they are specifically > > >filtered. > > > > > >The only drawn back is that, Your new ISP have to forward the packet in a > > >round trip to the old ISP's network through the internet before they are > > >resolved and sent back to you machine, > > > > It would depend on what records they are accessing. If the users are going > > to the Internet and accessing sites such as www.cisco.com and > > www.groupstudy.com, for example, the DNS queries don't have to go back to > > the original ISP. > > > > >had it been you are using the DNS of > > >your new ISP, these request would stop there. Do not loose your sleep, > > >because at the worst these delays are in milisseconds and not easily > > >noticeable by the eye, more each machine have a cache so it does not >forward > > >every request. Great if you have a Cache Engine to compliment the >machine's > > >cache. > > > > > >Whatever, you are kool and everything will be fine, switch to your new >ISP > > >and enjoy. > > > > > >Regards. > > >Oletu > > >- Original Message - > > >From: Michael Hair > > >To: > > >Sent: Sunday, February 17, 2002 8:07 PM > > >Subject: DNS Request Redirection [7:35703] > > > > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > I have been using a private address space behind a Cisco 4500 router > > > > connected up to our current ISP using NAT, now we want to move our > > > > connection from our current ISP to a new ISP with better bandwidth. My > > > > problem is that we don't want to change all our client machines TCP/IP > > > > settings, which are all static, for some reason or another they were >all > > > > setup to use our ISP's DNS. Not my idea but that another problem. So >how > > >can > > > > I setup our router to forward requests looking from our current ISP's >DNS > > >to > > > > our new ISP's DNS without touching all the client machines. > > > > > > > > Would the best way be to use policy-base routing? > > > > > > > > Would a static route work? > > > > > > > &g
Re: DNS Request Redirection [7:35703]
Recursion is precisely what he was concerned about. As you have alluded, there are two roles for a DNS server, cacheing (which requires recursion), and authoritataive. An ISP does not need to publish the addresses of a authoritative nameserver, those addresses are stored in the distributed database and are therefore found naturally. The only reason for publishing an ISPs DNS server addresses to their customers is for use as cacheing servers (often confusingly called resolvers). Whereas using another ISPs DNS cache servers may be technically possible right now because of lax practices, I wouldn't want all my users to be cut off by events beyond my control e.g. when said lax ISP engages a half-decent DNS consultant. Within DNS circles the practice is frowned upon, and it might be held that it is actually criminal in several juridsdictions. My own belief is that running your own cacheing DNS server is almost always the best solution, but then I am biased since DNS is my specialism :-) rgds Marc TXK Priscilla Oppenheimer wrote: > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > >Any decent ISP will refuse DNS recursion from any IP address that is not > >within its own address space. > > He wasn't asking about recursion. He was asking about the initial query > from the end host. Although I could believe you that a service provider > should make sure these queries only come from customers, my experience is > that service providers don't do this. I can set my PC to use a variety of > DNS servers around the Internet and it works. > > I think it's because it's tricky to do, especially for small ISPs. Some > ISPs might have only one DNS server. The same server that provides DNS > services to Internet-access customers may also be the authority for various > names managed by the ISP. The ISP may be doing Web hosting and be the > authority for a bunch of names. In that case, it can't filter out DNS > queries coming from the Internet. > > For example, say your PC asks your local DNS server to resolve > www.priscilla.com. Your server can't do it. It asks its upstream server, > probably one of the root servers. The root server figures out that > petiteisp.com owns www.priscilla.com and tells your server the IP address > of the authoritative name server at petiteisp.com. Your server queries > petiteisp.com which gives your server the IP address for www.priscilla.com. > Your server finally responds to your PC. > > Notice that the query to petiteisp.com came from some unexpected IP address > that can't be anticipated in a filter. If petiteisp.com had a filter to > allow queries only from its customers, the query from your server would > have failed. > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > ISPs have more than one DNS server, one for Internet access customers, and > one that is the authority for names owned by the ISP. > > Priscilla > > > This is fundamental to DNS security. > >You need to rewrite the destination IP address. Note that Cisco's NAT > >is not suitable for this because of the DNS ALG. The easiest thing to > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > >addresses. If you've got a lot of workstations and a decent bandwidth > >to the Internet, you will probably find that running your own DNS cache > >will be more satisfactory anyway. > >rgds > >Marc TXK > > > > > >Godswill HO wrote: > > > > > > You can still use your former ISP's DNS records while using the new ISP's > > > bandwidth. It does not matter who owns the DNS server. Everybody have > >access > > > to it once they are in the internet. Except when they are specifically > > > filtered. > > > > > > The only drawn back is that, Your new ISP have to forward the packet in a > > > round trip to the old ISP's network through the internet before they are > > > resolved and sent back to you machine, had it been you are using the DNS > of > > > your new ISP, these request would stop there. Do not loose your sleep, > > > because at the worst these delays are in milisseconds and not easily > > > noticeable by the eye, more each machine have a cache so it does not > >forward > > > every request. Great if you have a Cache Engine to compliment the > machine's > > > cache. > > > > > > Whatever, you are kool and everything will be fine, switch to your new > ISP > > > and enjoy. > > > > > > Regards. > > > Oletu > > > - Original Message - > > > From: Michael Hair > > > To: > > > Sent: Sunday, Fe
Re: DNS Request Redirection [7:35703]
Tim, If you wish to provide authoritative DNS service from behind a NAT router, then with a Cisco the NAT code contains various ALGs (application level gateway I think) including one for DNS. This ALG translates A records, MX and PTR records where it can. IIRC if it can't then the response is not passed at all (which many people believe is a major issue). So if the DNS server is behind the same NAT boundary as the servers, all well and good, just use the private addresses in the DNS and they'll be translated. However if the DNS server is not behind the same NAT boundary as the servers, then you're stuffed. In DNS circles, the purists don't like all this because this technique is probably not possible to maintain for more complex DNS record types, and I believe it only does UDP, so I guess that it isn't "best practice". rgds Marc TXK Tim Booth wrote: > > Out of curiosity, what is the "best practice" for someone who has a > DNS server on their private network with a private IP address? How would > one go about doing this with a router? Is it impossible? Is the "best > practice"/only possibly way to have the DNS server having a public IP > address (in a DMZ)? > > Kind Regards, > Tim Booth > MCDBA, CCNP, CCDP, CCIE written > - > Those who would give up essential liberty to purchase a little temporary > safety deserve neither liberty nor safety. > Benjamin Franklin, 1759 > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 13:16 > To: [EMAIL PROTECTED] > Subject: Re: DNS Request Redirection [7:35703] > > hhmmm. > > as I understand the original question, each workstation in the network > in > question is hard coded for DNS. > > So, if for example, my machine is hard coded for DNS server > 207.126.96.162 > ( my ISP DNS server ) and I change ISP's, and make no changes to my > workstation, then any DNS request will have a destination address of > 207.126.96.162 > > The question, as I understand, if how to change that destination address > without making workstation visits. > > Policy routing can change next hop, but not destination address. NAT > outbound changes source address, not destination address. > > Unless there is a packet interceptor that takes all DNS requests, and > physically changes the destination address, the user has few options. > > Again, IF the former ISP does not restrict DNS requests to its own > address > space, i.e. accepts DNS requests from anywhere, then there is no > problem, > and no changes need be made. > > However IF ( and this would be good practice for a lot of reasons ) the > former ISP does indeed restrict DNS requests to source addresses within > its > own space, then there will have to be additional changes on the user > network. > > This whole discussion illustrates why people SHOULD follow best practice > from the get go. If they want to hard code IP's, then I believe DHCP can > be > configured so that it provides only DNS info and default gateway info, > for > example. the people who have insisted that their network hard code > everything are now learning the hard lesson. > > Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35807&t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
yep - seems to work just fine. Chuck ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Chuck, et al., > > One DNS Server IP that I've used for years when I don't have a specific IP > given when doing installations for customers, i.e., they don't tell me any > additional info in regards to whether or not their ISP told them to use > X.X.X.X and Y.Y.Y.Y for their client DNS settings, is a UUNet DNS Cache > server: > > 198.6.1.2 > > Never had any problems with it yet. > > But then again, I don't keep them on that DNS Setting... It's usually just > for initial install/test for DNS /Internet connectivity. Then I go get the > rest of the information. And again, these steps are only performed this way > when the customer contact is quite busy, and disappears on me within minutes > of me confirming my arrival to work, or they have the classic response of > "Uh, I'm not sure right now... lemme go try to dig that info up in our > paperwork..." and they still don't come back for an extended period of time. > > Otherwise, I work efficiently, and request all of the specific configuration > info up front as part of the install plan. :) > > SO.. Give the UUNet Caching server a spin, and let us know if it fails > certain queries. > > Mark > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 2:25 PM > To: [EMAIL PROTECTED] > Subject: Re: DNS Request Redirection [7:35703] > > > the simple way to test this would be to set your workstation with some other > ISP's DNS address, and see how things go. In one of my posts I provided the > real IP of an active DNS server. Someone want to give it a try? or post one > that you know about. I'll be happy to test. > > I wish the guy who posted the original question would get back to us with > his results. > > Chuck > > ""Priscilla Oppenheimer"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: > > >Any decent ISP will refuse DNS recursion from any IP address that is not > > >within its own address space. > > > > He wasn't asking about recursion. He was asking about the initial query > > from the end host. Although I could believe you that a service provider > > should make sure these queries only come from customers, my experience is > > that service providers don't do this. I can set my PC to use a variety of > > DNS servers around the Internet and it works. > > > > I think it's because it's tricky to do, especially for small ISPs. Some > > ISPs might have only one DNS server. The same server that provides DNS > > services to Internet-access customers may also be the authority for > various > > names managed by the ISP. The ISP may be doing Web hosting and be the > > authority for a bunch of names. In that case, it can't filter out DNS > > queries coming from the Internet. > > > > For example, say your PC asks your local DNS server to resolve > > www.priscilla.com. Your server can't do it. It asks its upstream server, > > probably one of the root servers. The root server figures out that > > petiteisp.com owns www.priscilla.com and tells your server the IP address > > of the authoritative name server at petiteisp.com. Your server queries > > petiteisp.com which gives your server the IP address for > www.priscilla.com. > > Your server finally responds to your PC. > > > > Notice that the query to petiteisp.com came from some unexpected IP > address > > that can't be anticipated in a filter. If petiteisp.com had a filter to > > allow queries only from its customers, the query from your server would > > have failed. > > > > Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger > > ISPs have more than one DNS server, one for Internet access customers, and > > one that is the authority for names owned by the ISP. > > > > Priscilla > > > > > This is fundamental to DNS security. > > >You need to rewrite the destination IP address. Note that Cisco's NAT > > >is not suitable for this because of the DNS ALG. The easiest thing to > > >do may be to provide an on-site cacheing DNS using the old ISPs DNS > > >addresses. If you've got a lot of workstations and a decent bandwidth > > >to the Internet, you will probably find that running your own DNS cache > > >will be more satisfactory anyway. > > >rgds > &g
Re: DNS Request Redirection [7:35703]
I have been re-reading the posts again and I have one question. I believe what Chuck says is true about NAT outbound changes the source address, not the destination address. So Would it be possible to change the destination address on the inbound side ? For example. Let say I have a web server behind my router doing NAT. 192.168.75.105. How would I tell the router to redirect connections going to 209.165.166.59 port 80 to go to 192.168.75.105 port 80. So I would be using the private address on the inside but still want the public IP address to be used by outside world. Would this not be changing the destination address ? Can this actually be done ? Thanks Michael ""Chuck"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hhmmm. > > as I understand the original question, each workstation in the network in > question is hard coded for DNS. > > So, if for example, my machine is hard coded for DNS server 207.126.96.162 > ( my ISP DNS server ) and I change ISP's, and make no changes to my > workstation, then any DNS request will have a destination address of > 207.126.96.162 > > The question, as I understand, if how to change that destination address > without making workstation visits. > > Policy routing can change next hop, but not destination address. NAT > outbound changes source address, not destination address. > > Unless there is a packet interceptor that takes all DNS requests, and > physically changes the destination address, the user has few options. > > Again, IF the former ISP does not restrict DNS requests to its own address > space, i.e. accepts DNS requests from anywhere, then there is no problem, > and no changes need be made. > > However IF ( and this would be good practice for a lot of reasons ) the > former ISP does indeed restrict DNS requests to source addresses within its > own space, then there will have to be additional changes on the user > network. > > This whole discussion illustrates why people SHOULD follow best practice > from the get go. If they want to hard code IP's, then I believe DHCP can be > configured so that it provides only DNS info and default gateway info, for > example. the people who have insisted that their network hard code > everything are now learning the hard lesson. > > Chuck > > > ""Priscilla Oppenheimer"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 05:11 AM 2/18/02, Godswill HO wrote: > > >You can still use your former ISP's DNS records while using the new ISP's > > >bandwidth. It does not matter who owns the DNS server. Everybody have > access > > >to it once they are in the internet. Except when they are specifically > > >filtered. > > > > > >The only drawn back is that, Your new ISP have to forward the packet in a > > >round trip to the old ISP's network through the internet before they are > > >resolved and sent back to you machine, > > > > It would depend on what records they are accessing. If the users are going > > to the Internet and accessing sites such as www.cisco.com and > > www.groupstudy.com, for example, the DNS queries don't have to go back to > > the original ISP. > > > > >had it been you are using the DNS of > > >your new ISP, these request would stop there. Do not loose your sleep, > > >because at the worst these delays are in milisseconds and not easily > > >noticeable by the eye, more each machine have a cache so it does not > forward > > >every request. Great if you have a Cache Engine to compliment the > machine's > > >cache. > > > > > >Whatever, you are kool and everything will be fine, switch to your new > ISP > > >and enjoy. > > > > > >Regards. > > >Oletu > > >- Original Message - > > >From: Michael Hair > > >To: > > >Sent: Sunday, February 17, 2002 8:07 PM > > >Subject: DNS Request Redirection [7:35703] > > > > > > > > > > I was wondering what is the best way to take care of the following: > > > > > > > > I have been using a private address space behind a Cisco 4500 router > > > > connected up to our current ISP using NAT, now we want to move our > > > > connection from our current ISP to a new ISP with better bandwidth. My > > > > problem is that we don't want to change all our client machines TCP/IP > > > > settings, which are all static, for some reason or another they were > all > > > > setup to use our ISP's DNS. Not my idea but that another problem. So &
Re: DNS Request Redirection [7:35703]
I think what you are talking about is a static nat ( conduit, in Cisco speak ) It's done all the time, for just the reason you mention. any device for which you want / need a single internet face, use a static NAT. Chuck ""Michael Hair"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have been re-reading the posts again and I have one question. > > I believe what Chuck says is true about NAT outbound changes the source > address, not the destination address. > > So > > Would it be possible to change the destination address on the inbound side ? > > For example. > > Let say I have a web server behind my router doing NAT. 192.168.75.105. How > would I tell the router to redirect connections going to 209.165.166.59 port > 80 to go to 192.168.75.105 port 80. So I would be using the private address > on the inside but still want the public IP address to be used by outside > world. Would this not be changing the destination address ? > > Can this actually be done ? > > Thanks > Michael > > > > > ""Chuck"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > hhmmm. > > > > as I understand the original question, each workstation in the network in > > question is hard coded for DNS. > > > > So, if for example, my machine is hard coded for DNS server 207.126.96.162 > > ( my ISP DNS server ) and I change ISP's, and make no changes to my > > workstation, then any DNS request will have a destination address of > > 207.126.96.162 > > > > The question, as I understand, if how to change that destination address > > without making workstation visits. > > > > Policy routing can change next hop, but not destination address. NAT > > outbound changes source address, not destination address. > > > > Unless there is a packet interceptor that takes all DNS requests, and > > physically changes the destination address, the user has few options. > > > > Again, IF the former ISP does not restrict DNS requests to its own address > > space, i.e. accepts DNS requests from anywhere, then there is no problem, > > and no changes need be made. > > > > However IF ( and this would be good practice for a lot of reasons ) the > > former ISP does indeed restrict DNS requests to source addresses within > its > > own space, then there will have to be additional changes on the user > > network. > > > > This whole discussion illustrates why people SHOULD follow best practice > > from the get go. If they want to hard code IP's, then I believe DHCP can > be > > configured so that it provides only DNS info and default gateway info, for > > example. the people who have insisted that their network hard code > > everything are now learning the hard lesson. > > > > Chuck > > > > > > ""Priscilla Oppenheimer"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 05:11 AM 2/18/02, Godswill HO wrote: > > > >You can still use your former ISP's DNS records while using the new > ISP's > > > >bandwidth. It does not matter who owns the DNS server. Everybody have > > access > > > >to it once they are in the internet. Except when they are specifically > > > >filtered. > > > > > > > >The only drawn back is that, Your new ISP have to forward the packet in > a > > > >round trip to the old ISP's network through the internet before they > are > > > >resolved and sent back to you machine, > > > > > > It would depend on what records they are accessing. If the users are > going > > > to the Internet and accessing sites such as www.cisco.com and > > > www.groupstudy.com, for example, the DNS queries don't have to go back > to > > > the original ISP. > > > > > > >had it been you are using the DNS of > > > >your new ISP, these request would stop there. Do not loose your sleep, > > > >because at the worst these delays are in milisseconds and not easily > > > >noticeable by the eye, more each machine have a cache so it does not > > forward > > > >every request. Great if you have a Cache Engine to compliment the > > machine's > > > >cache. > > > > > > > >Whatever, you are kool and everything will be fine, switch to your new > > ISP > > > >and enjoy. > > > > > > > >Regards. > > > >Oletu > > > >- Original Message - &g
