getting equal http performance with world visible address versus local IP address

1

I have a web server sitting behind a NAT. The web server therefore has two IP addresses: one that is world visible, and one that is visible only on the LAN.

For the purpose of mobile devices, I would like to be able to refer to pages on the server from a single address, e.g. www.myhost.com in both cases, instead of using the local IP address such as 192.168.1.x when the device is on the LAN and www.myhost.com when the device is outside the LAN. There are two reasons for this: first, it is rather inconvenient to have to manually switch between addresses based on where one is at. Second, there is no separate SSL certificate for the LAN IP address resulting in annoying browser warnings that must be clicked through.

However, presumably due to the fact that traffic through the www.myhost.com style address has to go through the NAT and 192.168.1.x traffic does not, there is a substantial performance difference - transfer rates on the LAN are over 6x faster.

Is there some way to always use the world visible name and yet get LAN performance when on the LAN?

I don't have access to the DNS server in either case, but would something like multicast DNS (aka Bonjour) work?

To make things a bit more complicated, I would also like it to work for a second site. It has a different domain, e.g. www.myhost2.com which replicates the first host. Ideally www.myhost.com to resolve to the IP for www.myhost2.com in the second site's LAN.

Michael

Posted 2014-01-11T22:31:45.453

Reputation: 2 242

Where is the nameserver for www.myhost.com? If you operate it, what OS is it running? What operating system / webserver are you using? – Mike Pennington – 2014-01-11T23:18:42.680

Are you suggesting a DNS suggestion whereby I make www.myhost.com resolve to the 192.168.1.x address on the LAN? – Michael – 2014-01-11T23:20:38.317

Yes, that's exactly what I'm suggesting; there are ways to split DNS resolution on a LAN, such that it's different than internet A records – Mike Pennington – 2014-01-11T23:38:59.080

1Mike is suggesting either using different DNS views, or using a split-brain resolver. BTW, unless you're using an antiquated device, performing NAT should have no discernible impact. – Ron Trunk – 2014-01-11T23:58:14.947

@Ron Strangely enough of the two NATs I tested, the newer one has a larger performance difference, but that may be because the LAN is gigabit. – Michael – 2014-01-12T02:25:27.097

@michael What kind of equipment? – Ron Trunk – 2014-01-12T13:08:08.670

Answers

2

Assumptions

  • The FW forwards 80/tcp and 443/tcp to 192.168.1.5 (green httpd)
  • The FW issues DHCP Option 6, which currently points to an external nameserver on the internet (red Public DNS)
  • The public DNS A record for www.myhost.com is 198.51.100.20

Solution

  • Build a DNS Resolver at 192.168.1.10 for your private network (dark red bind / bonjour)
  • Add a private zone file on your private DNS for myhost.com (dark red bind / bonjour)
  • Configure your DHCP server's DHCP Option 6 (Domain Name Server) to point to 192.168.1.10

Why your webserver is slow now

Some firewalls don't know how to NAT for 198.51.100.20 from the inside interface, so they sends all traffic to the ISP (who then sends traffic for www.myhost.com back to 198.51.100.20). This round trip toward the ISP router and back is what slows you down.

Diagram Reference:

Home network

Your network may look different, but the only things that really matter are your web server and internal nameserver.

Example bind resolver configuration for this network

It sounds like you're running OSX, so I'll give *nix configs, but you can set up a similar resolving nameserver with Windows.

I have to do something similar at home; this is a transcribed version of my bind configs. Remember that bind loves tabs. Once you get bind running it's possible to integrate bind with bonjour, but that's not really required.

Technically it is possible to collapse your nameserver and httpd onto the same machine, but I would keep them separated for security purposes. Another FYI, it's somewhat risky to host a webserver without a real DMZ, but we're getting outside the scope of your question now.

File /etc/bind/named.conf: 
include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
    type hint;
    file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";
File /etc/bind/named.conf.options: 
acl kill_clients {
        192.168.1.32;  // Black hole requests here (I have a cheap webcam)
};
acl valid_clients {
        192.168.1.0/24;
        127.0.0.0/8;
};

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //  0.0.0.0;
    // };

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    listen-on { any; };
    blackhole { kill_clients; };
    forwarders {4.2.2.2; 8.8.8.8; };  // Replace with your ISP DNS servers
};
// Configure the communication channel for Administrative BIND9 with rndc
// By default, they key is in the rndc.key file and is used by rndc and bind9 
// on the localhost
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};
File /etc/bind/named.conf.local: 
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "myhost.com" {
        type master;
        file "/etc/bind/db.myhost";
};

zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192.168.1.0";
};
File /etc/bind/db.myhost: 
;
; BIND data file for local loopback interface
;
$TTL    3600
myhost.com. IN  SOA ns.myhost.com. hostmaster.myhost.com. (
           201301091350     ; Serial
               3600     ; Refresh
              86400     ; Retry
            2419200     ; Expire
               3600 )   ; Negative Cache TTL
;
myhost.com. IN  NS  ns.myhost.com.

www IN  A   192.168.1.5
www-public  IN  A   198.51.100.20
ns  IN  A   192.168.1.10
fw  IN  A   192.168.1.254
File /etc/bind/db.192.168.1.0: 
@   IN  SOA ns.myhost.com. root..     (
2013010901  ;serial
14400   ;refresh
3600    ;retry
604800  ;expire
10800   ;minimum
)

1.168.192.in-addr.arpa. IN  NS  ns.myhost.com.

10  IN  PTR ns.myhost.com.
5   IN  PTR www.myhost.com.
254 IN  PTR fw.myhost.com.

Mike Pennington

Posted 2014-01-11T22:31:45.453

Reputation: 2 273

Thanks a lot, that looks very thorough; I'll try it out when I get back to my desktop Monday. – Michael – 2014-01-12T06:20:49.173

Ok, I'm curious... is your webserver running on OSX? – Mike Pennington – 2014-01-12T06:21:50.100

One of them is. Well the other is too if you ignore reverse proxies... – Michael – 2014-01-12T06:23:46.420

By the way, I assume the www-public is put there in case you want to access from the outside. This seems to assume that 198.51.100.20 I static; what if this is not the case? Or to put it a more useful way, is there some way to set up a binding, e.g. old.myhost.com such that it goes to whatever address myhost.com would have resolved to before implementing the new lookup. (I still want a way to access myhost.com from a remote location even though normally I want it to redirect to a local machine) – Michael – 2014-02-26T21:11:03.397

Asked: 2014-01-11T22:31:45.453

Viewed: 114 times

Active: 2014-01-12T06:29:13.813