How to choose public DNS provider for an ISP
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It's confusing at best for the users and breaks lots of software.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So if I put in a request for a port, no other customer can have it? How will that work? Say I want to have a PBX, I'm the only person that can make calls?
-
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
Like a VPN for example.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
If it were me, I'd just provide full internet access. If you really feel strongly about helping people help themselves, then maybe offer an option to use a DNS service provided by you through something like Pi-Hole, but that would have to be optional. People get all kinds of cranky when they can't use the "coupon" websites and applications, where coupon is actually malware of course.
Thank you. I could setup a pi-hole system. I tell the sub about this alternative DNS. If they opt-in, I change their DNS to point to my pi-hole. But they have to choose to be a part of it, otherwise they get straight Internet.
Just let them do their own at that point.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
-
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
-
@romo said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
Think about it conceptually. No ISP puts a global firewall in front of its clients. You are building a single corporate LAN environment here rather than an ISP WAN network, basically. Nothing will work as expected. And you will guarantee that at least one private range that they should be able to use will be broken.
You are thinking of this as an SMB IT department trying to control employees, rather than an ISP trying to provide service to customers.
Uhm... just about every ISP is doing carrier grade NAT anymore. It's caused all sorts of headaches in Millersburg because some goofball decided to use 192.168.1.X for their CGNAT. #fail
Down here in mexico, almost all cable companies that also provide internet service use CGNAT as well, the downside is they are also some of the worst providers but they do use it.
It's pretty rare here from what I can tell. I never see people getting non-public IPs.
-
@scottalanmiller - I didn't even know that was a thing.
-
@wrx7m said in How to choose public DNS provider for an ISP:
@scottalanmiller - I didn't even know that was a thing.
It exists, but I had no idea that people were seeing it commonly, so many things break when you do that.
-
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
-
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
You are right. My bad.
-
@nerdydad said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
If one of the arguments is to increase security, why not simply do a separate management VLAN using private IP addressing? You can have the customer facing network, aka the Internet, on say VLAN A, and then have the private management network on VLAN B? Implement the appropriate firewalling/ACLs so the two VLANs cannot talk to each other.
That is the plan anyways. The question here really wasn't about public versus private IP addresses (though that is going to raise my overhead $500/year), but more about whether I should just hand the customer Google dns addresses via dhcp or should I give them something that is more privacy focused but might also restrict their access to the internet.
I would not consider anything but Google for a default. If they want more privacy that is 100% up to them. If they are using anything that comes from their ISP blindly they aren't concerned with privacy anyway. Remember, this is only the DNS that you hand to their firewall, not the one that they should be using for anything.
-
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
-
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
-
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
-
@anthonyh said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
It's amazing that it could fail under NAT, when would it ever be used without NAT?
-
@scottalanmiller said in How to choose public DNS provider for an ISP:
@anthonyh said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@scottalanmiller said in How to choose public DNS provider for an ISP:
@dashrender said in How to choose public DNS provider for an ISP:
@travisdh1 said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
@nerdydad said in How to choose public DNS provider for an ISP:
@brianlittlejohn said in How to choose public DNS provider for an ISP:
You are going to use private IP addresses, so all of you subs will be double nat'ed ?
That's what I'm considering. What are the potential problems with this?
It will work for most things, but what if a sub wants incoming traffic?
I guess they can submit a request and I'll just forward it to their IP address only.
So long as your terms of service has the standard "You're not allowed to run a server" in it, who cares. Personally I'd like an online form I could fill out for any exceptions, even better to have it linked to in the TOS.
Most don't consider there using an Xbox as a server - not sure if it requires direct access or not? Just one consideration.
I don't know anyone opening ports for their XBox to work.
It was a stab in the dark.
I know at one point in time under strict NAT scenarios Xbox Live is unhappy. It's possible a double NAT may anger it. I don't know if that's true today though.
It's amazing that it could fail under NAT, when would it ever be used without NAT?
I bet a while ago it really wanted to use UPNP to open ports, NAT be damned