著者: Simon Hobson 日付: To: dng@lists.dyne.org 題目: Re: [DNG] Jitsi-meet server in DMZ
g4sra <g4sra@???> wrote:
>> It is as simple as needing to connect to the server at different IPs (i.e. the internal IP from inside, the external IP from outside), but using the same URL ?
>
> In a nutshell, yes.
OK, then I'd use split horizon DNS - problem solved (but noting the comment made about Android).
As also noted, SIP is one of the things that is well and truly screwed up by NAT - not that you'll find many NAT apologists admitting that. And in my experience, SIP ALGs (Application Level Gateways) can screw things up more than they fix.
>> If so, then split horizon DNS is your friend - and I'm assuming that's
>> what you are referring to when you say using BINDs response policy.
> No.
>
> BIND's 'responce policy' is a, um, policy similar to a normal zone BUT anything in this zone can mask a real resolve from occurring.
I hadn't seen that one, it's newer than when I last setup a BIND server.
>> Some will tell you that it's wrong - but as long as we have NAT then it's a decent and reliable workaround for the breakage that NAT causes.
> The reason it is wrong is...your internal DNS server is exposed to to a higher hacking threat than if you had two separate servers, with the one in the DMZ serving external queries and the internal one on the local lan behind a secondary firewall.
It can be done with two different servers, and that's (sort of) actually how I have it. My own server is not internet accessible other than from secondary servers at a hosting company which publicly host my external zone for me.
But the reason I was told, with absolute certainty" by a supposedly professional consultant is that firstly I should not have different servers with the same name - e.g. internal and external web server for the same domain. But mostly, I should not be running my own DNS because only our ISP could keep our zone up to date !
In hindsight, with a little effort and guided learning I could have been a consultant with that sort of job - except that I never had, and never had the desire to have, the gift of "bulls**tting my way through anything".