DNS hairpinning/accessing external IP inside NAT

Ol!ver · 22 Jan 2013 at 15:26

I've got a web server/file server running on a small network that is connected to the outside world via an ADSL line. Everything works great, but the problem we have is that we can't access the web site or server via the URL from inside the network, presumably due to NAT.

My question is: is there any way around this? I can use the HOST file to redirect the URL to an internal IP, but that's no good on the iOS devices we use. Is there perhaps something at the router level?

I've heard of Hairpinning but still trying to get my head around it.

Cheers.

#Chri5# · 22 Jan 2013 at 15:33

What router?

You could use split-horizon DNS if you have a server on the LAN providing DNS or, if the router / firewall supports it, NAT loopback.

Reedy · 22 Jan 2013 at 15:40

Ol!ver said:
My question is: is there any way around this? I can use the HOST file to redirect the URL to an internal IP, but that's no good on the iOS devices we use. Is there perhaps something at the router level?

No NAT loopback?

From experience "home grade" routers don't have it, but "business grade" routers do. Very much a YMMV.

Ol!ver · 22 Jan 2013 at 15:45

Sorry, should have added - the router is one of Sky's own, so pretty much useless.

That said, DNS etc is handled by an Amahi VM, and I don't mind chopping/changing that to make it work.

The other potential issue is I have multiple Vhosts on the one IP. Would any solution still pass the original requested IP through to Apache so it can serve the right site?

n30_mkii · 22 Jan 2013 at 16:50

In answer to your second question you have three options;

1.) Seperate ports for each site so users would access via

site1.domain.com:81
site2.domain.com:82

2.) An ISA type box / or free version handling the traffic

so incoming DNS would be looked at and directed at the correct back end port

site1.domain.com > server1:80

3.) Host headers where the web server looks the incoming domain requests and applies a rule

site1.domain.com = site1
site2.domain.com = site2

all handled by apache

Hope that helps

Ol!ver · 22 Jan 2013 at 17:20

n30_mkii said:
In answer to your second question you have three options;

1.) Seperate ports for each site so users would access via

site1.domain.com:81
site2.domain.com:82

2.) An ISA type box / or free version handling the traffic

so incoming DNS would be looked at and directed at the correct back end port

site1.domain.com > server1:80

3.) Host headers where the web server looks the incoming domain requests and applies a rule

site1.domain.com = site1
site2.domain.com = site2

all handled by apache

Hope that helps

Option 3 is how it works now. Apache sees you want site A and pushes the requests to the right directory. Thing is, if I have something directing to a local IP, Apache wouldn't know which URL was requested, would it?

Toughnoodle · 22 Jan 2013 at 18:33

I think #Chri5# has the right idea. Microsoft SBS does this by using authorative DNS on the internal DNS server. The URL stays the same, but the DNS points it to the private IP for internal users only.

n30_mkii · 23 Jan 2013 at 13:03

Ol!ver said:
Option 3 is how it works now. Apache sees you want site A and pushes the requests to the right directory. Thing is, if I have something directing to a local IP, Apache wouldn't know which URL was requested, would it?

Host headers can be done purely with domain name and can all quite happily sit on the same local IP. Thats what they were designed for. It gets a little more complicated when you add SSL in to the equation though

anything I don't mind · 23 Jan 2013 at 16:55

If the webhost content does not depend on the external domain to function, which often can be the case, you can simply substitute the external domain name for the internal domain name. This works with outlook web access for example.

external: https://owa.externaldomain.com
internal: https://internalexchangedns/exchange/ (internalexchangedns = exchange internal server name)

If you need to access it for testing, then the limitation is that you are not testing the accessibility of the nat, only that the http is up.

I think another option, but i could be wrong here, would be to have external outgoing internet go out on a different IP that the external destination address of the nat. That way when you try to access to the domain, it does not have the same source and destination address. Alternatively you could set up an external hosted proxy and access it via that.

Ol!ver · 24 Jan 2013 at 09:50

groen said:
If the webhost content does not depend on the external domain to function, which often can be the case, you can simply substitute the external domain name for the internal domain name. This works with outlook web access for example.

external: https://owa.externaldomain.com
internal: https://internalexchangedns/exchange/ (internalexchangedns = exchange internal server name)

If you need to access it for testing, then the limitation is that you are not testing the accessibility of the nat, only that the http is up.

I think another option, but i could be wrong here, would be to have external outgoing internet go out on a different IP that the external destination address of the nat. That way when you try to access to the domain, it does not have the same source and destination address. Alternatively you could set up an external hosted proxy and access it via that.

External proxy. Now that sounds interesting.

I'm not sure how I'd set any of these DNS solutions up, unless someone can point me in the right direction?

Cheers.

iaind · 24 Jan 2013 at 11:03

As per the other thread, DNS server internally configured appropriately. Modify DHCP scope on the router to point to that server for DNS

If the router wont let you modify client DNS in the DHCP scope, disable DHCP on the router and set that up on the server too

Ol!ver · 24 Jan 2013 at 12:18

Well, I did have DNS and DHCP handled via Amahi, but I've just killed that VM and added the required roles to my Windows 2012 VM. I'm told split DNS is easier via this method. We shall see!

I've got a similar thread running on AVForums if anyone fancies a wander over. Same thread title.

iaind · 24 Jan 2013 at 12:27

DNS and DHCP are incredibly simple on a windows server. Configure a forward lookup zone for your domain, add the hostname to it with the internal IP, set a forwarder for your ISPs DNS....

Configure DHCP to give the windows server as the DNS server, the router as the default gateway. Job done

It's really simple, not sure why the thread has gotten so complicated

kerrgreg · 24 Jan 2013 at 22:06

As above sounds like you've miszconfigured the local DNS nothing to do with external shiz or port forwarding

Ol!ver · 25 Jan 2013 at 08:16

kerrgreg said:
As above sounds like you've miszconfigured the local DNS nothing to do with external shiz or port forwarding

I haven't, it's working.

Deleted member 77746 · 25 Jan 2013 at 09:06

iaind said:
DNS and DHCP are incredibly simple on a windows server.

It's simple for someone who knows what they are doing and they know IT acrynoms. Not everything is simple in the world especially if you don't know what you are doing or don't understand the concept.

Ol!ver · 25 Jan 2013 at 09:12

mrbell1984 said:
It's simple for someone who knows what they are doing and they know IT acrynoms. Not everything is simple in the world especially if you don't know what you are doing or don't understand the concept.

You need to know how Windows Server works, too. Windows Server 2012's nothing like the systems I've used before. It takes a bit of clicking around before you understand how it's wanting things doing.

Deleted member 77746 · 25 Jan 2013 at 10:01

Ol!ver said:
You need to know how Windows Server works, too. Windows Server 2012's nothing like the systems I've used before. It takes a bit of clicking around before you understand how it's wanting things doing.

Yep... this as well.

iaind · 25 Jan 2013 at 10:43

mrbell1984 said:
It's simple for someone who knows what they are doing and they know IT acrynoms. Not everything is simple in the world especially if you don't know what you are doing or don't understand the concept.

If you don't know the acronyms and aren't interested in learning off your own back, why would you bother playing around with servers at home?

Deleted member 77746 · 25 Jan 2013 at 10:59

iaind said:
If you don't know the acronyms and aren't interested in learning off your own back, why would you bother playing around with servers at home?

Some people may want a solution without doing the work... you know what it's like in IT right? Not everyone requires to know other aspects they just want solutions.