Running Nameserver behind NAT

by mindflame   Last Updated June 18, 2017 08:00 AM

Thank you supporting me for all the questions raised here. I have another question, which might be stupid. I am having a internet connection with a static ip from my ISP. I do have mail servers and webservers hosted from it. What i would like to achieve is run couple of nameservers by getting another static ip from my ISP.

I tried to setup a nameserver by NAT-ing and forwarding PORT 53 for udp & tcp traffic. But still when i try to query a record for a zone on my nameserver using dig externally or internally , i get an error "no servers could be reached". Is there any guide or information that would help me to setup the nameservers behind NAT or help me solve this issue?

My ISP has confirmed that they do not have blocks or filters in place. I have also confirmed that no ports are being blocked or filtered from my end too. The name of the nameserver is ns1.sitehosters.in.



Answers 2


If you want to run a nameserver that is the authority for an Intenet zone then it will need to be properly addressed with an public IP.

If you must put a name server behind a NAT, then the NAT device must incorporate an appropriate Application Layer Gateway (ALG). Although many NAT devices will incorporate an ALG suitable for NATing the client IP address I don't know if any of them are built to NAT SOA records etc.

If you only have /32 public addresses then you might be able to port-forward through your outer router and then push that through a second NAT device to restore the original destination IP address. Off the top of my head this should work but I haven't thought it through at length.

I haven't looked at yopu configs in detail but notice that you've got 8.8.8.8 defined as name server. Unless you want to restrict your name server to authoritative-only then you'd have that set to 127.0.0.1.

On reflection NATing twice shouldn't be necessary. The DNS server may need to have an interface on it with the public IP address though, you can probably achieve that with a secondary IP on an interface.

marctxk
marctxk
June 19, 2017 11:51 AM

I figured it out. The ISP had a filter on port 53 even though it was open. Got to change the ISP as they cant remove the block. Thanks all for the time spend solving the issue

mindflame
mindflame
July 03, 2017 09:39 AM

Related Questions



split-horizon with systemd-resolved

Updated September 26, 2018 07:00 AM

Conditional Forwarder windows 2008 server

Updated July 27, 2015 17:00 PM