如何使一个域名在内网和外网访问时分别指向内网和外网IP?

puding

你的路由应该是H3C SR8802。
升级到一个比较新的COMWARE版本应该就有nat dns-map命令了。

Bsdder

是的, H3C SR8802, 我去看看新版的comware

Bsdder

今天进行了DNS sniffer, 发现dns respond 包, 从内网取得和从外网取得的不一样, 内网取得的在以下红色标记后的都没了.

1. 
   
2. 从内网执行nslookup 取得的query response 包：
   
3. 
   
4. No.     Time        Source                Destination           Protocol Info
   
5.       4 0.042612    202.103.224.68        192.168.1.210        DNS      Standard query response A 192.168.1.5[Malformed Packet]
   
6. 
   
7. Frame 4 (175 bytes on wire, 175 bytes captured)
   
8.     Arrival Time: Apr 11, 2008 16:40:31.797477000
   
9.     [Time delta from previous captured frame: 0.020654000 seconds]
   
10.     [Time delta from previous displayed frame: 0.020654000 seconds]
    
11.     [Time since reference or first frame: 0.042612000 seconds]
    
12.     Frame Number: 4
    
13.     Frame Length: 175 bytes
    
14.     Capture Length: 175 bytes
    
15.     [Frame is marked: False]
    
16.     [Protocols in frame: eth:ip:udp:dns]
    
17.     [Coloring Rule Name: UDP]
    
18.     [Coloring Rule String: udp]
    
19. Ethernet II, Src: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e), Dst: Dell_11:23:54  (00:15:c5:11:23:54)
    
20.     Destination: Dell_11:23:54  (00:15:c5:11:23:54)
    
21.         Address: Dell_11:23:54  (00:15:c5:11:23:54)
    
22.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    
23.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    
24.     Source: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e)
    
25.         Address: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e)
    
26.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    
27.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    
28.     Type: IP (0x0800)
    
29. Internet Protocol, Src: 202.103.224.68 (202.103.224.68), Dst: 192.168.1.210 (192.168.1.210)
    
30.     Version: 4
    
31.     Header length: 20 bytes
    
32.     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    
33.         0000 00.. = Differentiated Services Codepoint: Default (0x00)
    
34.         .... ..0. = ECN-Capable Transport (ECT): 0
    
35.         .... ...0 = ECN-CE: 0
    
36.     Total Length: 161
    
37.     Identification: 0x44bd (17597)
    
38.     Flags: 0x04 (Don't Fragment)
    
39.         0... = Reserved bit: Not set
    
40.         .1.. = Don't fragment: Set
    
41.         ..0. = More fragments: Not set
    
42.     Fragment offset: 0
    
43.     Time to live: 244
    
44.     Protocol: UDP (0x11)
    
45.     Header checksum: 0x07ac [correct]
    
46.         [Good: True]
    
47.         [Bad : False]
    
48.     Source: 202.103.224.68 (202.103.224.68)
    
49.     Destination: 192.168.1.210 (192.168.1.210)
    
50. User Datagram Protocol, Src Port: domain (53), Dst Port: edm-mgr-sync (3464)
    
51.     Source port: domain (53)
    
52.     Destination port: edm-mgr-sync (3464)
    
53.     Length: 141
    
54.     Checksum: 0xa01e [correct]
    
55.         [Good Checksum: True]
    
56.         [Bad Checksum: False]
    
57. Domain Name System (response)
    
58.     [Request In: 3]
    
59.     [Time: 0.020654000 seconds]
    
60.     Transaction ID: 0x0002
    
61.     Flags: 0x8180 (Standard query response, No error)
    
62.         1... .... .... .... = Response: Message is a response
    
63.         .000 0... .... .... = Opcode: Standard query (0)
    
64.         .... .0.. .... .... = Authoritative: Server is not an authority for domain
    
65.         .... ..0. .... .... = Truncated: Message is not truncated
    
66.         .... ...1 .... .... = Recursion desired: Do query recursively
    
67.         .... .... 1... .... = Recursion available: Server can do recursive queries
    
68.         .... .... .0.. .... = Z: reserved (0)
    
69.         .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
    
70.         .... .... .... 0000 = Reply code: No error (0)
    
71.     Questions: 1
    
72.     Answer RRs: 1
    
73.     Authority RRs: 2
    
74.     Additional RRs: 2
    
75.     Queries
    
76.         [url]www.abc.com:[/url] type A, class IN
    
77.             Name: [url]www.abc.com[/url]
    
78.             Type: A (Host address)
    
79.             Class: IN (0x0001)
    
80.     Answers
    
81.         [url]www.abc.com:[/url] type A, class IN, addr 192.168.1.5
    
82.             Name: [url]www.abc.com[/url]
    
83.             Type: A (Host address)
    
84.             Class: IN (0x0001)
    
85.             Time to live: 1 hour, 41 minutes, 46 seconds
    
86.             Data length: 4
    
87.             Addr: 192.168.1.5     <--------此处发现NAT已经把域名指向内网IP了, 但此后的数据就没了,
    
88.     Authoritative nameservers
    
89. [Malformed Packet: DNS]
    
90. 
    
91. 
    
92. ADSL上网从外网取得的query response 包：
    
93. 
    
94. No.     Time        Source                Destination           Protocol Info
    
95.       7 2.962351    192.168.0.1           192.168.0.102         DNS      Standard query response A 202.104.55.18
    
96. 
    
97. Frame 7 (175 bytes on wire, 175 bytes captured)
    
98.     Arrival Time: Apr 11, 2008 16:37:41.408683000
    
99.     [Time delta from previous captured frame: 0.718414000 seconds]
    
100.     [Time delta from previous displayed frame: 0.718414000 seconds]
     
101.     [Time since reference or first frame: 2.962351000 seconds]
     
102.     Frame Number: 7
     
103.     Frame Length: 175 bytes
     
104.     Capture Length: 175 bytes
     
105.     [Frame is marked: False]
     
106.     [Protocols in frame: eth:ip:udp:dns]
     
107.     [Coloring Rule Name: UDP]
     
108.     [Coloring Rule String: udp]
     
109. Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
     
110.     Destination: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
     
111.         Address: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
     
112.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
     
113.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     
114.     Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
     
115.         Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
     
116.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
     
117.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
     
118.     Type: IP (0x0800)
     
119. Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.102 (192.168.0.102)
     
120.     Version: 4
     
121.     Header length: 20 bytes
     
122.     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
     
123.         0000 00.. = Differentiated Services Codepoint: Default (0x00)
     
124.         .... ..0. = ECN-Capable Transport (ECT): 0
     
125.         .... ...0 = ECN-CE: 0
     
126.     Total Length: 161
     
127.     Identification: 0x01ed (493)
     
128.     Flags: 0x00
     
129.         0... = Reserved bit: Not set
     
130.         .0.. = Don't fragment: Not set
     
131.         ..0. = More fragments: Not set
     
132.     Fragment offset: 0
     
133.     Time to live: 128
     
134.     Protocol: UDP (0x11)
     
135.     Header checksum: 0xb6a7 [correct]
     
136.         [Good: True]
     
137.         [Bad : False]
     
138.     Source: 192.168.0.1 (192.168.0.1)
     
139.     Destination: 192.168.0.102 (192.168.0.102)
     
140. User Datagram Protocol, Src Port: domain (53), Dst Port: ndl-als (3431)
     
141.     Source port: domain (53)
     
142.     Destination port: ndl-als (3431)
     
143.     Length: 141
     
144.     Checksum: 0xb7ed [correct]
     
145.         [Good Checksum: True]
     
146.         [Bad Checksum: False]
     
147. Domain Name System (response)
     
148.     [Request In: 6]
     
149.     [Time: 0.718414000 seconds]
     
150.     Transaction ID: 0x0002
     
151.     Flags: 0x8180 (Standard query response, No error)
     
152.         1... .... .... .... = Response: Message is a response
     
153.         .000 0... .... .... = Opcode: Standard query (0)
     
154.         .... .0.. .... .... = Authoritative: Server is not an authority for domain
     
155.         .... ..0. .... .... = Truncated: Message is not truncated
     
156.         .... ...1 .... .... = Recursion desired: Do query recursively
     
157.         .... .... 1... .... = Recursion available: Server can do recursive queries
     
158.         .... .... .0.. .... = Z: reserved (0)
     
159.         .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
     
160.         .... .... .... 0000 = Reply code: No error (0)
     
161.     Questions: 1
     
162.     Answer RRs: 1
     
163.     Authority RRs: 2
     
164.     Additional RRs: 2
     
165.     Queries
     
166.         [url]www.abc.com:[/url] type A, class IN
     
167.             Name: [url]www.abc.com[/url]
     
168.             Type: A (Host address)
     
169.             Class: IN (0x0001)
     
170.     Answers
     
171.         [url]www.abc.com:[/url] type A, class IN, addr 202.104.55.18
     
172.             Name: [url]www.abc.com[/url]
     
173.             Type: A (Host address)
     
174.             Class: IN (0x0001)
     
175.             Time to live: 3 hours
     
176.             Data length: 4
     
177.             Addr: 202.104.55.18          <----------------在外网访问, 把域名指向外网IP  
     
178.     Authoritative nameservers
     
179.         abc.com: type NS, class IN, ns ns.gxnnptt.net.cn
     
180.             Name: abc.com
     
181.             Type: NS (Authoritative name server)
     
182.             Class: IN (0x0001)
     
183.             Time to live: 2 hours, 43 minutes, 31 seconds
     
184.             Data length: 13
     
185.             Name server: ns.gxnnptt.net.cn
     
186.         abc.com: type NS, class IN, ns ns.lzptt.gx.cn
     
187.             Name: abc.com
     
188.             Type: NS (Authoritative name server)
     
189.             Class: IN (0x0001)
     
190.             Time to live: 2 hours, 43 minutes, 31 seconds
     
191.             Data length: 14
     
192.             Name server: ns.lzptt.gx.cn
     
193.     Additional records
     
194.         ns.lzptt.gx.cn: type A, class IN, addr 202.103.225.70
     
195.             Name: ns.lzptt.gx.cn
     
196.             Type: A (Host address)
     
197.             Class: IN (0x0001)
     
198.             Time to live: 32 minutes, 42 seconds
     
199.             Data length: 4
     
200.             Addr: 202.103.225.70
     
201.         ns.gxnnptt.net.cn: type A, class IN, addr 202.104.55.18
     
202.             Name: ns.gxnnptt.net.cn
     
203.             Type: A (Host address)
     
204.             Class: IN (0x0001)
     
205.             Time to live: 2 hours, 36 minutes, 21 seconds
     
206.             Data length: 4
     
207.             Addr: 202.104.55.18
     
208. 
     

复制代码

[ 本帖最后由 Bsdder 于 2008-4-12 12:23 编辑 ]

Bsdder

估计内网用域名访问不了, 可能跟DNS 回应包的错误有关, 但引起该错误的原因在那里呢? 是在电信DNS SERVER, 还是在路由器进行NAT转换时产生的? 我觉得后者可能性更大, 由于我对DNS 和 PROTOCOL分析不熟悉, 那位知道的能解释下吗?

ssffzz1

LZ的情况我试验过了。DNS-MAP在H3C中好像不是这个功能用的。

发现在最新版本的VRP中，只要配置好了NAT server映射就自动有了DNS修正功能。

同时6楼的配置
nat dns-map www.abc.com 192.168.1.5 80 tcp
好像IP地址应该填外网的合法IP（全局外部IP），而不是内网映射后的IP。

Bsdder

非常感谢你的试验!!!

原帖由 ssffzz1 于 2008-4-12 13:48 发表

发现在最新版本的VRP中，只要配置好了NAT server映射就自动有了DNS修正功能。
...

我感觉也应该是这样子, SR8802只做了nat server , nat outbound , 没有针对DNS进行过特殊设置, 但从昨天的sniffer 包中发现 , DNS 回应包中 SR8802已经把www.abc.com解析到服务器内部地址了. 但是估计由于转换时不正确, 导致DNS包中后面的数据错误了.

    Answers
        www.abc.com: type A, class IN, addr 192.168.1.5
            Name: www.abc.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 hour, 41 minutes, 46 seconds
            Data length: 4
            Addr: 192.168.1.5     <--------此处发现NAT已经把域名指向内网IP了, 但此后的数据就没了,
    Authoritative nameservers
[Malformed Packet: DNS]

详见13楼

现在正折磨中,  ssffzz1兄, 你能看看是什么东西导致SR8802修改DNS包错误的吗?

[ 本帖最后由 Bsdder 于 2008-4-12 14:25 编辑 ]

ssffzz1

这个具体的不太清楚了。
1、你升级到最新版本的VRP。
2、如果通过路由器DNS-MAP不能解决，那么内网架自己的DNS,或者修改HOSTS文件。

puding

http://kms.h3c.com/kms/kms/search/view.html?id=14510

ssffzz1

您的登录已过期，需要重新登录

请刷新浏览器，以重新登录

没有H3C的用户，没用啊。把，内容转出来吧。


还有一个另外的方法，就是吧服务器和PC，放到不同的网段即可。

[ 本帖最后由 ssffzz1 于 2008-4-12 20:39 编辑 ]

puding

SR66系列路由器通过NAT实现

内网使用公网地址或域名访问内网服务器





一、组网需求：

内网用户通过路由器的NAT地址池转换来访问Internet，并且向外网用户提供www服务，同时客户要求实现

内网用户通过公网域名或地址访问内网服务器。

设备清单：SR66系列路由器1台，PC 1 台



二、组网图：


192.168.0.2/24 ---- [G0/0(192.168.0.1/24)-G0/1(202.100.1.2)] ---- OUTSIDE



三、配置步骤：

SR66 配置

#

//用户NAT的地址池

nat address-group 1 202.100.1.3 202.100.1.6

#

//配置允许进行NAT转换的内网地址段

acl number 2000

rule 0 permit source 192.168.0.0 0.0.0.255

rule 1 deny

#

//配置内网访问内网服务器的数据段

acl number 3010

description LAN-PC-->LAN-Server                                                

rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.0.2 0         

#



interface GigabitEthernet0/0

port link-mode route

//在出接口上进行NAT转换

nat outbound 2000 address-group 1

//在出接口上配置内网服务器192.168.0.2的www服务

nat server protocol tcp global 202.100.1.3 www inside 192.168.0.2 www

ip address 202.100.1.2 255.255.255.0

#

interface GigabitEthernet0/1

port link-mode route

//内网网关

ip address 192.168.0.1 255.255.255.0

//对内网访问内网服务器的流量进行地址转换

nat outbound 3010

//在内网口上配置内网服务器192.168.0.2的www服务，使内网pc能够通过公网地址或域名访问

nat server protocol tcp global 202.100.1.3 www inside 192.168.0.2 www

ip address 202.100.1.2 255.255.255.0

#

//配置默认路由

ip route-static 0.0.0.0 0.0.0.0 202.100.1.1

#






四、配置关键点：

1）定义内网访问内网服务器的acl，在内网口配置内网访问内网服务器的nat转换

2） 在内网口需要配置内网服务器和外网地址的映射关系

[ 本帖最后由 puding 于 2008-4-12 20:54 编辑 ]