# public IP addresses system



## rtsiresy (Mar 6, 2019)

Hey all,
so just here is a topology that I quickly made with paint ...




So I have 2 questions:
         - first is it possible for the webserver to be a public webserver discoverable over Internet?if yes how?if no why?
         - second, can the DNS server be the authoritative DNS server for the webserver's domain?if yes how?if no why?

This one question can reformulate both of the questions above:
        - can I build an Internet domain (so a public one) in a LAN behind ONE public IP address and have the authoritative nameserver 
      of the domain inside the LAN?

Thank you


----------



## tommiie (Mar 6, 2019)

What do you mean with "discoverable" over the Internet? If you implement a NAT rule on the ISP router so that inbound TCP sessions gets translated to the private IP address of the webserver _and_ you configure a pfSense firewall rule to allow the traffic _and_ (optionally) you configure a DNS A record pointing to your public IP address, it will be "discoverable" over the internet. Explaining how to do that will fill quite a large article and will depend on your ISP's router.

The DNS server can be made authoritative for a domain name you've purchased. You will need an additional NAT rule on the ISP's router for port 53. Note that DNS requires two authoritative DNS servers. This is the first, where is the second? When buying a domain name you can most-likely get DNS hosting for free. You can use those two DNS servers are slaves for the primary master in your internal network.


----------



## rtsiresy (Mar 6, 2019)

hello Tommiie ... thanks a lot for the answer ... and don' t worry I know exactly how to do the things you said and yes I know there have to be at least 2 authoritative nameservers
... the question was about a misunderstanding of principles ...
so I get the answer ... but when you said to configure an A record for the public address; where sould I configure it?? in the DNS server (the one which is in the LAN)?


----------



## SirDice (Mar 6, 2019)

rtsiresy said:


> but when you said to configure an A record for the public address; where sould I configure it?? in the DNS server???


Your DNS server is only used internally. So you need to do this in the DNS management of your registered domain. 

Public domains need to be registered with a domain registrar. You can't simply "inject" your own domains on the internet. 






						Domain name registrar - Wikipedia
					






					en.wikipedia.org
				








						Domain name registry - Wikipedia
					






					en.wikipedia.org


----------



## rtsiresy (Mar 6, 2019)

Hello sirDice and thanks for the answer ...
I know I ll have to register for a domain ... but what I want to know is if I can host my own authoritative nameserver in a LAN which is behind ONE public address ... but now I think I got it  ... it just all about NAT ...


----------



## SirDice (Mar 6, 2019)

rtsiresy said:


> but what I want to know is if I can host my own authoritative nameserver in a LAN which is behind ONE public address


Usually no. You need at least TWO authoritative DNS servers on different networks. Some hosting providers allow you to simply slave your server though. The provider then takes care of the hosting on the internet. Changes to your DNS are automatically pushed to the provider's slaves.

Whatever set up you go for I would first start eliminating the double NAT you have on your network. Your ISP router does NAT and your pfSense does it too. This can be made to work but will make forwarding packets from outside to inside more complicated.


----------



## rtsiresy (Mar 7, 2019)

okay ... copy that


----------



## ucomp (Mar 7, 2019)

You won't have nothing to do with authoritative nameservers on your own network 
for learning purpose....

From your other thread :


rtsiresy said:


> ... server is at my workplace ...





rtsiresy said:


> ......internet connection at work was cut for a week .......



the above  is a situation where you really have to do with DNS....
means: you need a failover DNS-Monitor .
A monitor checks the health of your DNS and if fails, points automatically to 
a healthy system.
In a production environment you'll always have more than 1 physical server location.
And DNS tells the rest of the world where your servers are located.


----------



## ralphbsz (Mar 8, 2019)

Ultimately, the question to ask is: Why do you want to run your own DNS server and web server?

Is it for production use, for something that makes money?  Is your time valuable?  Do you lack the skills to do this right, at industrial strength (you clearly do, considering your questions)?  If you answered at least at least one of those questions with "yes", then you are MUCH better off getting some company (perhaps the same that registers your domain) to perform these tasks for you.  It will cost a little bit, but it will work so much better, with much less risk and investment of your time, that it will be worth the money.  I personally haven't shopped for web server and DNS server for small domains in many years, but the one non-profit for which I run the domain pays $9.95 per month for web, e-mail, domain, DNS, the whole works, from a reputable (smallish and local company), with excellent customer support.  Worth every penny.  I would never attempt to do this myself.

If you are doing it only as a hobby, to learn how to do it, then by all means try it.  But please stay off the public internet until you're really good at it, otherwise you'll hurt yourself.  Set up a DNS server for your internal use, make it serve internal addresses (in your setup you can have quite a few nodes inside that are not visible in public), set up a web server, make sure it can serve HTTP and get the SSL certificates for it, secure it, and so on.

My setup at home is quite similar (except without the double NAT). I have an internal DNS server, but also replicated public (paid-for) DNS servers.  I have an internal web server, which is actually a little bit visible in public (alas not on a publicly visible address, nor on a normal port).  But setting it up is quite a bit of work, and requires serious understanding of the underlying technologies, not just a few simple messages on a discussion forum.


----------



## ucomp (Mar 8, 2019)

ralphbsz said:


> .... serious understanding of the underlying technologies, not just a few simple messages on a discussion forum.


... depends on the quality of the messages in the discussion forum 
 nearly all messages here from the experts from good quality.......
it becomes difficult only when it comes to FreeBSD itself ... because developers usually read source code and no forum posts ;-)


----------



## rigoletto@ (Mar 8, 2019)

Dynu offer almost anything an individual (or ever a SMB) may want about DNS, for free.


----------



## ucomp (Mar 8, 2019)

rigoletto@ said:


> Dynu offer almost anything an individual (or ever a SMB) may want about DNS, for free.


the most interesting feature is not free but free trial, I also use such a provider( not dynu) and its worth the money if you really use a production environment based on own bare metal


----------



## rtsiresy (Mar 11, 2019)

*ucomp* ... yes it is for learning purpose ... as I m a *trainee* ...


----------

