hairpin nat alternative

Hairpin NAT (aka loopback NAT) is a technology used to resolve the situation when the resourse, usually web server, is located in internal network, but has an external IP address. It can be accessible from outside interface (in Cisco terminology), but since it has the same gateway as your machine (of course, I mean the backbone router, not the subnet’s), internal machines cannot access them.
The problem has at least three solutions:
1. Whatsoever use the non-rfc1918 IP address, using identity NAT, or something. But this way implies serious changes in routing and security policies;
2. Configure hairpin NAT, which has the same weaknesses and not an option if you don’t wanna change your routing policies;
3. And, this article’s object, you can configure the internal DNS server to resolve the usual FQDN to internal IP. I’ll use BIND as an example.

You must setup a new zone, which describes the domain you have (e.g. .com, or, if you’re configuring the third-level domain, use yoursite.com to simplify configuration), configure ur site in there, and add this line in the end:

* IN NS $upstream_dns_ip

And restart bind9.
From now, all users who’ll connect to your webserver from inside, will have it’s internal IP, and users from outside will use the external.

Leave a Reply

Your email address will not be published. Required fields are marked *