The problem of resolving public network domain names to intranet addresses in intranet environment 01/14 Update SLTechnology News&Howtos

The problem of resolving public network domain names to intranet addresses in intranet environment

2025-01-14 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

The firewall enables the alg feature of dns by default. It does not return the public network address of the server responded by the domain name server to the client, but only returns the private network address.

When NAT devices DNS ALG the corresponding DNS messages from the public network, because the payload contains only the domain name and the external network IP address of the application server (not including the transport protocol type and port number), when there are multiple NAT servers configured on the interface and use the same public network address while the internal network address is different, the DNS ALG only uses the IP address to match the internal server may get wrong matching results. Therefore, with the help of the configuration of DNS mapping, you need to specify the mapping relationship between the domain name and the public network IP address, port and protocol of the application server. The domain name can obtain the public network IP address, port and protocol of the application server, and then (on the current NAT interface) exactly match the internal server configuration to obtain the private network IP address of the application server.

Nat server does not do port mapping

For example, nat server global 124.250.45.21 inside 10.16.8.220

When the ALG feature is enabled, the private network address error of the public network address returned by the domain name server will not occur.

Nat server does port mapping

If different ports of a public network address correspond to different private network addresses, the private network address disorder will occur, because the public network is resolved to a public network address, but if there are multiple private network addresses through the firewall nat server, we do not know which one will be returned to the private network users. The solution is to configure DNS mapping

Nat dns-map domain www.server.com protocol tcp ip 202.38.1.2 port httpnat dns-map domain ftp.server.com protocol tcp ip 202.38.1.2 port ftp

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.