DNS hairpinning/accessing external IP inside NAT

Ol!ver · 22 Jan 2013 at 15:26

I've got a web server/file server running on a small network that is connected to the outside world via an ADSL line. Everything works great, but the problem we have is that we can't access the web site or server via the URL from inside the network, presumably due to NAT.

My question is: is there any way around this? I can use the HOST file to redirect the URL to an internal IP, but that's no good on the iOS devices we use. Is there perhaps something at the router level?

I've heard of Hairpinning but still trying to get my head around it.

Cheers.

Ol!ver · 22 Jan 2013 at 15:45

Sorry, should have added - the router is one of Sky's own, so pretty much useless.

That said, DNS etc is handled by an Amahi VM, and I don't mind chopping/changing that to make it work.

The other potential issue is I have multiple Vhosts on the one IP. Would any solution still pass the original requested IP through to Apache so it can serve the right site?

Ol!ver · 22 Jan 2013 at 17:20

n30_mkii said:
In answer to your second question you have three options;

1.) Seperate ports for each site so users would access via

site1.domain.com:81
site2.domain.com:82

2.) An ISA type box / or free version handling the traffic

so incoming DNS would be looked at and directed at the correct back end port

site1.domain.com > server1:80

3.) Host headers where the web server looks the incoming domain requests and applies a rule

site1.domain.com = site1
site2.domain.com = site2

all handled by apache

Hope that helps

Option 3 is how it works now. Apache sees you want site A and pushes the requests to the right directory. Thing is, if I have something directing to a local IP, Apache wouldn't know which URL was requested, would it?

Ol!ver · 24 Jan 2013 at 09:50

groen said:
If the webhost content does not depend on the external domain to function, which often can be the case, you can simply substitute the external domain name for the internal domain name. This works with outlook web access for example.

external: https://owa.externaldomain.com
internal: https://internalexchangedns/exchange/ (internalexchangedns = exchange internal server name)

If you need to access it for testing, then the limitation is that you are not testing the accessibility of the nat, only that the http is up.

I think another option, but i could be wrong here, would be to have external outgoing internet go out on a different IP that the external destination address of the nat. That way when you try to access to the domain, it does not have the same source and destination address. Alternatively you could set up an external hosted proxy and access it via that.

External proxy. Now that sounds interesting.

I'm not sure how I'd set any of these DNS solutions up, unless someone can point me in the right direction?

Cheers.

Ol!ver · 24 Jan 2013 at 12:18

Well, I did have DNS and DHCP handled via Amahi, but I've just killed that VM and added the required roles to my Windows 2012 VM. I'm told split DNS is easier via this method. We shall see!

I've got a similar thread running on AVForums if anyone fancies a wander over. Same thread title.

Ol!ver · 25 Jan 2013 at 08:16

kerrgreg said:
As above sounds like you've miszconfigured the local DNS nothing to do with external shiz or port forwarding

I haven't, it's working.

Ol!ver · 25 Jan 2013 at 09:12

mrbell1984 said:
It's simple for someone who knows what they are doing and they know IT acrynoms. Not everything is simple in the world especially if you don't know what you are doing or don't understand the concept.

You need to know how Windows Server works, too. Windows Server 2012's nothing like the systems I've used before. It takes a bit of clicking around before you understand how it's wanting things doing.

Ol!ver · 26 Jan 2013 at 12:49

Quick question whilst we are at it:

I'm reading about DHCP failover here: http://technet.microsoft.com/en-us/library/hh831385.aspx#config_dhcp2

My question: in that example, none neither of the two servers have the preferred DNS set as anything outside the network, and the primary node is set as the DNS conroller but pointing to itself.

Question: I've currently got my DNS server looking at Google's DNS servers. If I removed that, where would it be getting its info from?

Not convinced that makes much sense, but we'll see!

Cheers.

Ol!ver · 26 Jan 2013 at 13:13

So how does it find external IPs, ie, how does it know where to route requests for external web sites?

Ol!ver · 26 Jan 2013 at 14:20

Toughnoodle said:
It sends the queries to the forwarders and routes the reply back to the PC (you set these by giving the IP) or root servers. i.e. it uses recursion. PC <--> DNS server <--> forwarder <--> root servers

So at some point you do need to give the server an external DNS server to use?

Ol!ver · 26 Jan 2013 at 16:36

Toughnoodle said:
Yup, that's under the forwarders tab. I tend to pick the ISP DNS server IPs out of the router status page and add them as forwarders.

I think I'd bodged it to be honest. Didn't set it up as a forwarder, but set the server's ethernet connection to use Google's DNS. Was working fine until I just started playing

Ol!ver · 26 Jan 2013 at 18:04

iaind said:
Client config won't affect how the DNS server looks up external names.

If there's no forwarder, it's using root hints. If its a domain controller, it has to be pointing to itself in the network settings. If its not it doesn't matter too much but wouldn't hurt

This is all on the server, not a client. The server's ethernet port was pointing to Google instead of itself. I assume that meant all DNS requests from clients that the server couldn't resolve were being routed via that else, well, it shouldn't have been working should it?

Either way, doing away with that Google DNS setting killed the connectivity.