DNS Question 1

[Zcript3r]

I have a site that is using 198.35.84.x as their internal IP Address Scheme, instead of a non-routable IP Address scheme. My question is:

If they are running Windows 2000 Server with Active Directory, and of course DNS Server, what if any are the ramifications of leaving the IP Addresses alone? Will that screw up how their requests get forwarded to their ISP? I don't know a lot about the inner-workings of DNS, so don't really understand if this is going to be a major problem or not.

Thanks in advance!!
Rob

 

[lgarner]

It won't cause a problem, unless you try to communicate with a real 198.35.84.x address.

You'll be using NAT, so your internal addresses will be hidden anyway. Your ISP will assign you a range which is what the world will see.

 

[dholbrook]

If you use real world addresses that are not yours, then you have a serious problem if you connect to the Internet, because NAT is designed to translate from a non-routable address to a routable (legal) address, and it will not know how to NAT one real address to another successfully.

On top of that, if your DNS server connects to the Internet, how is it supposed to know how to route internal traffic to addresses owned by someone else out there on the InterNet?

Simply put, Cease and Desist! If you are accessing the internet with addresses you do not own, then you are causing serious problems on the Net. Change your internal addresses to legal addresses you own, or to free legal non-routable addresses and use NAT in the firewall, before your ISp shuts you off for being a nusance.

HTH

David

 

[lgarner]

NAT doesn't care about the addresses involved; they're just numbers. NAT will happily hide any addresses.

SOHO routers come with *default* configuratiosn using RFC1918 addresses, but these can be changed. You cannot be seen on the internet with any address other than what's provided by your ISP, regardless of your internal numbering scheme. The ISP should not allow any other addresses to come from your router, private or not. If you were to set up your internet connection without NAT in this case, it just won't work.

DNS doesn't route, it only resolves. If it looks up an address which is part of your internal net, that's what will be returned to you and it won't work. That's my point.

 

[dholbrook]

lgarner, My concern is because rwasiniak74 does not say he is using NAT, and if he isn't, then his internal addresses are visable on the outside and he will interfere with real valid addresses on the internet. Unless his interface IS using NAT, everything just gets passed out through the interface and his internal net will be messed up also if the DNS gets confused, so he is much better off to fix the problem now rather than wait for the complaints.

HTH
David

 

[Zcript3r]

We are using NAT. But I have passed the concerns on to those that need to make the decision, in that it would be much easier to change everything over to non-routable addresses before it becomes a problem.

Thanks for all the great posts!! Lots of progress has been made.

rmw

 

[dholbrook]

Rob, thanks for the additional info, I feel a little better. However, your users need to understand that because they are using real addresses they do not own and are using the internet, then they will not be able to access any point on the internet that does have these same addresses, and may possibly have other problems with the DNS, depending on how your internal DNS is talking to external DNS locations to resolve address requests. (Your DNS may well be telling the next DNS level to route traffic to these real IP addresses to your net.)

In a nutshell, you really need to switch to non-routable IP addresses for your internal network, even though it may be a pain. Hopefully you do not have too many fixed IP addresses to change, but at least with Win2k and newer you can change the IP without rebooting (usually! ). Good luck.Once you change, remember the first question you ask the user with a problem is have they rebooted their system!

HTH

David