From owner-freebsd-pf@FreeBSD.ORG  Wed Jul 20 10:24:22 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4AF6D16A41F
	for <freebsd-pf@freebsd.org>; Wed, 20 Jul 2005 10:24:22 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C835343D46
	for <freebsd-pf@freebsd.org>; Wed, 20 Jul 2005 10:24:21 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix4-2.free.fr (Postfix) with ESMTP id 06F033220D8;
	Wed, 20 Jul 2005 12:24:21 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id E0EDF405B; Wed, 20 Jul 2005 12:24:11 +0200 (CEST)
Date: Wed, 20 Jul 2005 12:24:11 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Alberto Alesina <aalesina@yahoo.com>
Message-ID: <20050720102411.GU39292@obiwan.tataz.chchile.org>
References: <20050720085312.40260.qmail@web32602.mail.mud.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050720085312.40260.qmail@web32602.mail.mud.yahoo.com>
User-Agent: Mutt/1.5.9i
Cc: freebsd-pf@freebsd.org
Subject: Re: PF NAT and DNS
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2005 10:24:22 -0000

Hi Alberto,

> Does PF NAT have support for DNS ALG as described in 
> RFC 2694 - DNS extensions to "Network Address
> Translators" (changing IP addresses in DNS payloads
> for certain DNS traffic types based on NAT entries)?

AFAIK, no, this is not supported, and this is not planned to be.

> If not, what is the PF recommended way for avoiding
> issues with DNS/NAT when the DNS server and DNS
> clients are on different sides of the NAT?

I would advice you to create a DNS server for the internal side.

Another solution that I'm currently using (but it may not be applicable
in you case) is to move the DNS server in the internal network.  Then
I use Bind9's zones to make a different reply whether the request is
coming from the internal network or from Internet).

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >