# DNS newbie question

## godsmack420

I have never messed with DNS much.   So have a few questions.  I am using ZoneEdit for my home gentoo machine so that I have a domain name for it.  (ex.  mydomain.com).  

I also have few other machines running in my home (a Win2k3 server and a CentOS server).  Is there a way I could setup DNS on my gentoo machine (which is set as the DMZ on my router) so that I can use "subdomains" to access different computers.

Ok, I guess my question is can I set DNS up on my gentoo machine to allow certain subdomains to redirect to different machines?  For example:

mydomain.com  -->  [my gentoo machine]

win2k3.mydomain.com   -->  [my windows server]

centos.mydomain.com --> [my CentOS server]

From what I'm thinking I can set the subdomains up in ZoneEdit to point to my dynamic IP address... but once it gets to my gentoo machine via the IP address I'd like my gentoo machine to redirect all traffic to the appropriate machine depending the "subdomain".  

Damn, I'm confusing myself... like i said I've never messed with DNS at all before but sound's like I should be able to do something like this with it. If I could please get any info it would be greatly appreciated.  

Thanks.

----------

## desultory

Perhaps, DNS configuration is not the solution you seek.

----------

## godsmack420

That solutions will work for websites, however is there a way that something can be set up to allow other methods of access?  If I SSH to centos.mydomain.com it will take me to my centos machine?  or FTP to win3k.mydomain.com will ftp to my windows server?

Randy

----------

## f4u5t

 *godsmack420 wrote:*   

> That solutions will work for websites, however is there a way that something can be set up to allow other methods of access?  If I SSH to centos.mydomain.com it will take me to my centos machine?  or FTP to win3k.mydomain.com will ftp to my windows server?
> 
> Randy

 

With IP tables you can direct to different hosts as long of the port ranges are distinct. To do so you use destination NAT.

E.g.

```

        /sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -i $NAT_IF -j DNAT --to 192.168.0.200

        /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i $NAT_IF -j DNAT --to 192.168.0.201

```

which will direct SSH to one host and HTTP to another host. FTP is a mess and don't use it.

If you want to direct the same port to different hosts that needs to be done at the application level. E.g., for HTTP you would have an HTTP proxy receiving all requests and proxy to different web servers based on the HTTP/1.1 Host: header. SSH and FTP have no such mechanism.

----------

## molot

Well, there is a solution. Run a dsn cache/proxy on your main mashine. One that would look at /etc/hosts of the machine it runs on. Then, put the "subdomains" in the /etc/hosts and you are done. That's what you've been looking for?

----------

## f4u5t

 *molot wrote:*   

> Well, there is a solution. Run a dsn cache/proxy on your main mashine. One that would look at /etc/hosts of the machine it runs on. Then, put the "subdomains" in the /etc/hosts and you are done. That's what you've been looking for?

 

That won't work at all. First, he cannot run a name server of any sort on his machine because it's external IP address (potentially) changes. He would need to update the the whois information for his domain every time it changed and that data is cached for about 24 hours.

Second, even if he could run a name server he has one external IP address. Every DNS query will return that IP address. When a client asks for centos.mydomain.com it will return that IP address. When a client asks for mydomain.com it will return that address. Then the client will connect to that IP address. At the TCP/IP level the server has no way of knowing which name was used to resolve to that IP address. The name may reside at the application level. It does for HTTP which permits name-based virtual hosting.

If he really wants to forward all ports to different hosts he needs multiple external IP addresses. If he wants to forward specific different ports to different hosts he can use DNAT.

----------

## godsmack420

Ok so in order to do that externally I will need different IP addresses... hmmm... sounds like it would be major headache to do

----------

## molot

Well, it seems I misunderstood a bit, sorry.

There is simply no easy way to get all ports on all machines by one IP only.

DNS only changes name to IP. If you have one IP, then all your names will be translated to this single IP. Then, your gate will get a package with IP on it. So me protocols, like http, allow embedding name into a package, so the software designed to work with that protocol (apache, nginx) may parse it and throw at intended machine. Most of the protocols (ssh, nfs, ftp and so on) does not allow this. You can easily redirect by port (service, that is), if you want one (and only one) machine as an http server and the other (single one) as an ftp, for example. You can make the gate to have multiple public IP addresses and redirect by them. But with an exception of http protocols family, once the client resolves domain name to IP, name information is lost completly and there is no way to know what it was.

You may consider opening an VPN entry to your LAN. Then, once connected, you'll see all private IP's directly.

----------

## desultory

 *godsmack420 wrote:*   

> That solutions will work for websites, however is there a way that something can be set up to allow other methods of access?

 There are typically ways to achieve analogous results, though quite how is generally dependent upon what kind of service is being provided.

 *godsmack420 wrote:*   

> If I SSH to centos.mydomain.com it will take me to my centos machine?  or FTP to win3k.mydomain.com will ftp to my windows server?

 By default, neither, and that is at least arguably good. For ssh there are various configuration options which could when combined produce something like the desired effect, not that I have such a configuration on hand to share. As for FTP, you could do various things depending on what your specific requirements are, though the easiest would probably be to switch internally from using FTP to shared filesystems then providing an external anonymous FTP site with each of the mounts available as a directory.

----------

## molot

For an ssh it is not so difficult to ssh to always ssh to one machine and then "jump" to other machines using local ip/name from hosts file. Alternatively you may use another ports, like 22 to gentoo, 23 for centos, 24 for windows... You may also configure paswordless ssh between your machines, and on the "gate" (gentoo) computer set user "myname-centos" with shell like "ssh myname@ip-of-centos-machine". Not beautiful, not clean, but works.

If there are other solutions I'd like to know. As far as I see there is no place in the ssh packet structure that would allow to send domain information.

For ftp setting NFS and keeping each machine's disk space avaliable to each other truly seems most elegant solution. Only authenticate users by ldap/kerberos so you have one uid for one user on each machine, or make the mounts root-only.

You may also want to google for >corkscrew ssh http<. There is a way to tunnel ssh via http proxy, and http keeps subdomains, so your main machine would be able to use nginx to send packages to the machines you want them to go to. There are some problems with that: you have to use specialized client-side software to connect at all, you would get a huge performance hit, it not always work (http was never meant to work that way), and it's a hell to set up. I didn't make it when I tried the last time, but I hardly put a heart into it, so who knows.

----------

