# BIND and Squid through NAT



## Anonymous (Feb 15, 2010)

Hi I've forwarded the necessary ports through my router (53 UDP + TCP, and 3128 TCP)
but when I configure my box to use my routers WAN ip address for dns and Squid neither work. With dns i get the typical "unknown host" and accessing pages with it as the proxy tells me I am not on the ACL or something like that, whatever the default message would be. C0nfigs are default for both services. Also I was wondering if anyone could tell me where to find a tutorial on how to add password authentication to Squid and add/remove users, I tried google but couldnt find anything. Thanks


----------



## SirDice (Feb 15, 2010)

You don't need to forward those ports on your router. Your internal clients on your LAN need to connect to the internal address of your box.


----------



## Anonymous (Feb 15, 2010)

Well yeah, the idea is that people not on my lan are to access them. I'm trying to create a website that provides these services so I can show employers and hopefully get a job :e


----------



## Anonymous (Feb 15, 2010)

I've been looking through the documentation and think I can figure out how to configure Squid to do what I want. But how to I forward BIND through NAT? I've forwarded the port but that doesnt seem to be working. What do I do? Nobody knows?


----------



## DutchDaemon (Feb 15, 2010)

I don't understand your setup. Time for some detailed ascii art.


----------



## Anonymous (Feb 15, 2010)

Haha yeah a better explanation would have helped. It's just my freebsd host running a default installation of BIND behind a NAT router and then off to the internet where I have a client that I have configured to use the WAN IP address of the router as it's nameserver. Ports 53 UDP and TCP are forwarded from the server to the NAT router.




```
Server         Router w/ NAT              Client A
 ____                 ____                            ____
[    ]==============>[    ]==========================[    ]
[____]BIND           [____] 222.111.333.444          [____]
```
Client A has "nameserver 222.111.333.444" in /etc/resolv.conf


----------



## DutchDaemon (Feb 15, 2010)

Well, use tcpdump to ascertain whether those packets even make it to the external interface and whether a reply is generated.


----------



## Anonymous (Feb 15, 2010)

I'm on a WLAN with a couple other clients so there all kinds of crazy broadcasts and handshakes etc that show up on tcpdump. Is there some way to filter out that stuff and just focus on dns requests?


----------



## SirDice (Feb 15, 2010)

Before you go further don't open up DNS and/or squid to the world without realizing it's security implications. Especially an open proxy on the Internet is a recipe for disaster. At least on your part. For spammers and kindred spirits an open proxy is a godsend. Certainly not something you want to advertise to your future employers. And I'm not even going to mention your ISP will most likely cut you off very quickly  

As for tcpdump somthing like this:
[cmd=]tcpdump -ni re0 port 53 and host 192.168.1.12[/cmd]

You can add one or more *-v* options and tcpdump will give lots more information. The *-X* option is also quite handy. See tcpdump(1) for more information.


----------



## Anonymous (Feb 15, 2010)

Ok I'm an idiot. I spent all night trying this but was reversing a part of the IP address. I'm trying to figure out a way to make squid secure before I put it up I'm going to look into their username/password options first. By the way thanks for the tcpdump command.What are the risks with opening up BIND?


----------



## SirDice (Feb 15, 2010)

BIND recently had a few issues surface, mostly to do with cache poisoning and other tricks to make bind give false or redirected results. As long as you run the latest version I think most of the issues have been resolved. Doesn't hurt to be aware of the risks involved with anything and everything you open up on the Internet


----------

