NAT Reflection

dcol

Hi all,
I had an interesting thread that resolved some issues, but what I got out of it was to not use NAT Reflection on my port forwarding.

No one explained why, just told me to use Split DNS instead. Well, unbound Host Overrides did not work. When I setup a host override and disabled NAT Reflection I was no longer able to get to my local website. Seems doing a web search that others have the same difficulty with host overrides not working or sometimes not working in DNS Resolver. NAT reflection always works with no issue.

It appears to be how DNS is handled by the host override. It does resolve the host name to my local server IP as proven by a simple trace command but when IIS gets the request it cannot determine the address and fails. Using NAT reflection works fine. I worked on it for a couple of hours and got one site to briefly work as the root, but never with www. Then stopped working altogether.

I do point my DNS to the Pfsense box, so that isn't the problem. Tried flushing DNS and clearing browser cache.

My Question is this. Why is it so important to move away from NAT reflection? If I should move to Split DNS, then I need some help getting it to work.

KOM

NAT Reflection is technically a workaround that sends your connection out the firewall and back in again, so it's inefficient and puts more load on the firewall.  It also can cause issues in some cases.  Split DNS makes your system go directly to the resource on the local LAN without touching the firewall at all.  If your system can properly resolve your web server's FQDN to it's local IP address then the firewall isn't involved at all and the issue is with the web server.

johnpoz

Why is it important not to use an abomination in the networking world that should never be used ever??  Especially from a security point of view?

Sure you will find that home routers that you go get at your local computer store for 20$ do it - because their user base are "users" ;)  And they just want stuff to work without clue one to how and why, etc.

The inefficiency that KOM mentions of going through your firewall/router to just get back to a box next to you is the mere tip of the iceberg to be honest.  Doing such a thing can also create an asymmetrical problem..  If not just bad hairpinning for no reason at all.

From a security point of view if you prevent asymmetrical by natting the connection to the webserver as pfsense IP, then the webserver doesn't know the real IP that is talking to it.. So every client on your network that access your webserver will just look like it came from pfsense IP.  So any sort of log info you might find useful are now just junk, if any sort of firewall rule on the webserver pointless because now all connectivity is coming from 1 IP.

The above is done with a SNAT.. So think of all the things involved and the added complexity involved because your too lazy to setup correct name resolution on your network?  If your trying to access a webserver on same network as you.. Then resolve the URN you want to access to its local IP.. Now your not doing any sort of hairpin, your not sending traffic in and out of your firewall for no reason.  Your server logs will now see the actual IP that is talking to it.  So its logs can be useful and could leverage its own software firewall, etc.  Your performance will be better!!  Since your not using a hairpin, and not having to run it through a speedbump (firewall/router) for no reason.

Also agree with KOM here, if your resolving the URN your trying to access to the rfc1918 IP address that is on the same network you are, and something is not working then that has something do with that server and or use of proxies or something else, etc.  Fix whatever that issue is would be my suggestion vs using the complete and utter hack/abomination that is nat reflection..

You want another reason? ;)  How about when you have to explain your setup to any other networking/security/IT person that is not completely useless they won't be thinking in the back of their minds… Ok this person doesn't really have a clue, make sure I use small words and speak slowly..  Ie you won't see their eyes rollback up into their heads and place their palm to their face.. And then they will prob smile back at you real nice... hehehehehehehe

dcol

Guys, this post should be a Wiki. What a wealth of info. Thanks to you.

I finally got this to work, just needed a reboot after changing setting on the PFsense box
So here is an example of how to set up Split DNS for those who went through what I did.

As an example, lets call one site mydomain.com where IIS has bindings to port 80 for mydomain.com and www.mydomain.com
Create a NAT Port Forwarding rule to send port 80 to IP 192.168.20.2. NAT Reflection should be disabled
DNS Resolver Host Overrides settings.

Host - mydomain
Domain - com
IP 192.168.20.2

Alias
Host - www
Domain - mydomain.com

These setting should work after a reboot.

Thanks

NOYB

@dcol:

My Question is this. Why is it so important to move away from NAT reflection?

It's not.  Use what is a good fit for your purpose.  Totally up to you.

johnpoz

You shouldn't have to reboot..

You can not have a blank host.. Your override would be host domain, with the domain being com

You would then create alias for that host..  See attached example

> dig domain.com

; <<>> DiG 9.11.0-P1 <<>> domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15931
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.com.                    IN      A

;; ANSWER SECTION:
domain.com.             3600    IN      A       192.168.20.2

;; Query time: 3 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sun Dec 04 05:56:13 Central Standard Time 2016
;; MSG SIZE  rcvd: 55

> dig www.domain.com

; <<>> DiG 9.11.0-P1 <<>> www.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48575
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domain.com.                        IN      A

;; ANSWER SECTION:
www.domain.com.         3600    IN      A       192.168.20.2

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sun Dec 04 05:57:25 Central Standard Time 2016
;; MSG SIZE  rcvd: 59

dcol

Johnpoz - Seems to work ok both ways for me. It is now working fine the way I originally described it but I modified my example to fit your way since you have more experience using it than I do. Also, did not work until I rebooted. I think it was because the NAT reflection config was still in there.

One other point to make for all trying to use Split DNS. Make sure you use the PFsense LAN IP as your primary DNS server in every device on the LAN.
This in my opinion is one of the drawbacks to using Split DNS, But the positives do outweigh the negatives.

johnpoz

There is nothing saying you have to use pfsense as dns… But you do no need to use a dns that will resolve the fqdn your asking about to your rfc1918 address.  This could be your AD dns, this could be bind running on some other box on your network, etc.

If your clients are using say googledns or some other public dns - then no split dns would not work would it ;) Public dns is not going to return your rfc1918 address, and if it did - then that would be a rebinding attack normally.. And not a good idea.