Nat – External Requests to Internal DNS Server

domain-name-systemnat;reverse-proxy

What would be the best way to configure my internal NAT network to handle external DNS requests? i.e.:

Domain 'example.com' is pointed to my public IP address on the WAN port of the router.
Internal network has DNS server at 'ns1.example.com'.
Client from external network wants to connect to 'web-server.example.com'.
Client from external network wants to connect to 'confluence.example.com'.
'ns1.example.com' resolves both clients and users can connect to them.

I don't want to simply just port forward a bunch of things and configure a bunch of port redirects for all my SSH, RDP, and web servers. I'd like to have sub-domains available through NAT. Would this be configured on the router for all queries to be redirected to ns1.example.com? Would a reverse-proxy be the way to go? The simpler the better.

Best Answer

Given that all the services you want to run are HTTP/HTTPS you will need a DNS service and a reverse proxy.

Authoritative DNS Service

You will need at least two DNS servers that hosts your zone. One of them can run behind your NAT, the other one can't. The best setup in this case is probably the master zone behind your NAT, accessible through port-forwarding from the outside and a slave zone somewhere in the internet.

Once you've got that setup you can then make the registry point to your nameservers for your domain and add records for your services pointing at your NAT ip.

Alternative: Just configure the dns-zone in your provider's web-interface or whatever.

Reverse Proxy

Install a reverse-proxy (Apache, nginx, varnish, whatever) that will handle the HTTP/HTTPS traffic for all your services. Set up a NAT port-forwarding for 80/tcp and 443/tcp that points to that proxy.

Theory of operation

When a clients wants to connect to yourservice.example.com it will resolve DNS for that name and get your NAT ip address. The client will then connect to the NAT address on 80/tcp or 443/tcp and will be port-forwarded to your proxy.

The client now either sends a HTTP request with a Host-Header or initiates a SSL-handshake with SNI. In both cases the reverse-proxy will be able to see that the request was for yourservice.example.com and can then forward the request to the correct application server.

Related Solutions

Overriding some DNS entries in BIND for internal networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

How to properly configure BIND forward zone for an internal DNS server

Add a 'forward only;' statement to the forwarded zone:

zone "subzone.mydns.example.com" {
    type forward;
    forward only;
    forwarders { 192.168.0.4; };
};