1

Consider the following simple scenario:

NAT setup

I have an office network where I have a server that provides some service, for example through HTTPS. I would like to be able to access this server with the name service.example.com, and I want this to work from inside the office network, as well as through the internet.

To do so, I have a router with a static IP on the Internet side, and I set it up so it redirects TCP port 443 to the internal server.

I would like to configure DNS in a way so that querying for service.example.com returns:

  • 10.0.0.2 (the internal IP) when queried from inside the office network
  • 123.45.67.89 (the external IP) when queried from outside the office network

I am already using Amazon Route 53 for all my DNS needs, and I found that there is a new feature called IP based routing, that allows me to create multiple DNS records, that are dynamically returned based on the querying IP. So in principle, I should set up my DNS records so:

  • service.example.com returns 10.0.0.2 when queried from 123.45.67.89
  • service.example.com returns 123.45.67.89 when queried from anywhere else

However, Route 53 doesn't allow me to set up individual IP addresses. Instead I have to register CIDR blocks, which can only have masks up to /24. Therefore I can't set up an individual IP address (with a /32 mask).

Is there a reason for this? Am I looking at this the wrong way? Some alternative solutions I've thought of are:

  • Write down the manual route for all internal PCs in /etc/hosts. However, I want this to work on laptops that may be on the internal network some times, and outside some other times. I don't think it's reasonable to ask users to change their /etc/hosts each time they take their laptop home.
  • Set up a DNS server inside my network just for this. I think it's a very heavyweight operation just for this one usecase -- I don't want to set up a server to handle for every single DNS query inside the office network, considering that traffic to this internal server is minimal.
  • Stop using NAT, and get a whole /24 block of static IPs. I think this is overkill for my needs.
  • Use IPv6, which are reachable anywhere, so this problem doesn't exist. This is what I'm doing now, but a lot of people still don't have IPv6 on their home networks, so the service is completely unavailable for people without IPv6.

What would be the right way to set this up?

Improve this question
11
  • 1
    You need to setup split-brain DNS which you do not want to do. Save yourself constant headaches, buy an IP address for your server from your Internet provider. That is usually only a couple dollars per month. Factoring in time, time management and equipment, you will save significantly. Otherwise, you will need to configure a DNS server in your home network and either configure each client or configure DHCP.
    – John Hanley
    Jun 15, 2022 at 19:03
  • @JohnHanley Unfortunately, my internet plan only allows for up to 1 static IP, which I'm already using for the router. To be able to have more static IP addresses, I need to upgrade my plan to one that costs considerably more...
    – Panda Pajama
    Jun 16, 2022 at 4:27
  • Now you know the solution. Setup a DNS server and configure your network accordingly.
    – John Hanley
    Jun 16, 2022 at 4:33
  • Question. My ISP charges $5.00 for four public static IP addresses. How much does yours charge and where are you located?
    – John Hanley
    Jun 16, 2022 at 4:34
  • @JohnHanley Each static IP costs approximately 17 USD/month, and I need to move to the next level of service, which costs approximately an additional 150 USD/month. I'm based in Japan. However, it seems like my router doesn't mind doing hairpin routing, so I can use the external IP even for internal computers.
    – Panda Pajama
    Jun 16, 2022 at 4:43

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .