[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 12/09/10 12:15, Chris Bunney wrote:
On 11 September 2010 19:57, Simon Waters<simon@xxxxxxxxxxxxxx> wrote:I think there are quite a few routers that will direct the outbound traffic back in, in this fashion. Basically if they are proper routers, they will spot the outbound packet is destined for an internal IP address, and route it inwards. But it does mean the traffic hits the router, rather than staying on the internal network.That does seem the more sensible way to do it. In my case, all LAN traffic goes via that router anyway so that's not a problem.However to not rely on the feature as Rob suggests just create a private view of the DNS with the internal IP address of the server for those domain. You can do that with any DNS serving software. BIND 9 is boring and bog standard but combines recursive and authoritative DNS in one server, which in this specific case is an advantage (usually it is a really bad idea, but if you are only serving internal clients it is safe enough to combine the roles like this).Am I right in thinking then, that the local DNS server would provide the authoritative DNS for the servers on the LAN, but the rest of the internet would still go to my registrar's DNS? Or would the local DNS provide the authoritative DNS for LAN and the whole internet, but returning a LAN address or the public IP depending on where the request came from? I assume in both cases the local DNS server provides recursive DNS for all DNS lookups from the LAN.
Its a while since I did this but I dont think its changed much: Your local DNS should be set up to provide all your LAN needs.Anything not local the DNS goes upstream (to your ISP's DNS) to ask for information about the address. This normally has a timeout on it. Your local DNS stores the data until for local reuse until it timesout and then it goes and gets it again. The upstream DNS servers do the same thing all the way up to the small number of core DNS the whole thing relies on. This is why, when you change ISP or something it can take a day or so for the everyone to find you on the internet again. Or some addresses take a long time to work - thought that can be the web server waking up! However if your DNS is on a router there often isnt enough space to store all your requests and so it may repeatedly go and get the same data. If this proves a problem then a DNS with a bit of storage may come in handy. This is also useful on a tuesday when MS release a bug fix and screw up a lot of the ISP DNS servers about the place.
anti-Dos on a router on BB is normally a bit too late - ignore Dos traffic all you want, there wont be much else getting through and what does will probably timeout. If you think you might need this check with your ISP - and always have their TEC phone# handy in case!Someone on the Leicester LUG list pointed me to a "hidden" settings page on the Belkin control panel: "firewall_spi_h.stm". For some reason there's no link to this page, as far as I can tell, you can only access it by typing in the URL. The page contains options for stateful packet inspection and anti-DoS detection, and disabling this
Tom te tom te tom
appears to have solved my original issue, although I'm not entirely certain whether turning those things off is a good thing or if it's leaving the router a bit too insecure. There are settings to control the SPI and anti-DoS, but I don't know what to change Chris
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq