Consider the following simple scenario:
I have an office network where I have a server that provides some service, for example through HTTPS. I would like to be able to access this server with the name service.example.com
, and I want this to work from inside the office network, as well as through the internet.
To do so, I have a router with a static IP on the Internet side, and I set it up so it redirects TCP port 443 to the internal server.
I would like to configure DNS in a way so that querying for service.example.com
returns:
10.0.0.2
(the internal IP) when queried from inside the office network123.45.67.89
(the external IP) when queried from outside the office network
I am already using Amazon Route 53 for all my DNS needs, and I found that there is a new feature called IP based routing, that allows me to create multiple DNS records, that are dynamically returned based on the querying IP. So in principle, I should set up my DNS records so:
service.example.com
returns10.0.0.2
when queried from123.45.67.89
service.example.com
returns123.45.67.89
when queried from anywhere else
However, Route 53 doesn't allow me to set up individual IP addresses. Instead I have to register CIDR blocks, which can only have masks up to /24
. Therefore I can't set up an individual IP address (with a /32
mask).
Is there a reason for this? Am I looking at this the wrong way? Some alternative solutions I've thought of are:
- Write down the manual route for all internal PCs in
/etc/hosts
. However, I want this to work on laptops that may be on the internal network some times, and outside some other times. I don't think it's reasonable to ask users to change their/etc/hosts
each time they take their laptop home. - Set up a DNS server inside my network just for this. I think it's a very heavyweight operation just for this one usecase -- I don't want to set up a server to handle for every single DNS query inside the office network, considering that traffic to this internal server is minimal.
- Stop using NAT, and get a whole
/24
block of static IPs. I think this is overkill for my needs. - Use IPv6, which are reachable anywhere, so this problem doesn't exist. This is what I'm doing now, but a lot of people still don't have IPv6 on their home networks, so the service is completely unavailable for people without IPv6.
What would be the right way to set this up?