Return to Answer

desktop-x is assigned a private ip dynamically by DHCP

There are three options:

1. When Active Directory is in use, workstations self-register by sending DNS "UPDATE" packets to the authoritative server (which is usually the AD domain controller).

   This is possible even without AD – but then you need to allow unauthenticated updates, or set up custom update methods. AD just automates it using Kerberos (i.e. GSS-TSIG).

2. When DHCP is in use, most workstations will report their hostname in the DHCP request packet. The DHCP server will then contact the authoritative DNS server (quite possibly using the same DNS "UPDATE", as isc-dhcpd does) to insert the hostname into DNS.

   This is exactly how local hostnames (.lan/.home domains) are implemented in consumer routers.

3. Finally, the DNS mappings may be added manually, if the DHCP server has manually configured leases for all machines, issuing them static addresses.

   (Nowhere in DHCP does it say that addresses must be temporary, random, or private. A static lease assigning a global address is perfectly valid.)

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Sometimes you can.

The usual reasons why it won't work for most domains:

1. The machines have private (RFC1918) IPv4 addresses, which are unreachable outside the site – the Internet has no route for them.

   This is usually, but not always, the case. Some organizations have massive pools of global IPv4 addresses (e.g. MIT had an /8) and every machine can get one. And some organizations run IPv6, in which every machine always gets one.

2. The network is behind a firewall which blocks incoming connections.

   This is a must if the machines have global addresses (regardless of IP version). Quite important even if the address are private (behind a NAT), even though people tend to confuse this with the NAT itself.

3. The machines have local (host) firewalls which block incoming connections, or just specifically incoming ICMP pings.

   This is the default on standalone Windows systems: they only accept pings from their local subnet and drop them from anywhere else.

4. The DNS domain has multiple views: internal queries see different mappings than the general public does. Often the "public" view doesn't have internal hosts at all.

   (This is not a standard DNS feature, but many authoritative servers such as Bind implement it – by checking the source IP of the query.)

desktop-x is assigned a private ip dynamically by DHCP

There are three options:

1. When Active Directory is in use, workstations self-register by sending DNS "UPDATE" packets to the authoritative server (which is usually the AD domain controller).

   This is possible even without AD – but then you need to allow unauthenticated updates, or set up custom update methods. AD just automates it using Kerberos (i.e. GSS-TSIG).

2. When DHCP is in use, most workstations will report their hostname in the DHCP request packet. The DHCP server will then contact the authoritative DNS server (quite possibly using the same DNS "UPDATE", as isc-dhcpd does) to insert the hostname into DNS.

   This is exactly how local hostnames (.lan/.home domains) are implemented in consumer routers.

3. Finally, the DNS mappings may be added manually, if the DHCP server has manually configured leases for all machines, issuing them static addresses.

   (Nowhere in DHCP does it say that addresses must be temporary, random, or private. A static lease assigning a global address is perfectly valid.)

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Sometimes you can.

The usual reasons why it won't work for most domains:

1. The machines have private (RFC1918) IPv4 addresses, which are unreachable outside the site – the Internet has no route for them.

   This is usually, but not always, the case. Some organizations have massive pools of global IPv4 addresses (e.g. MIT had an /8) and every machine can get one. And some organizations run IPv6, in which every machine always gets one.

2. The network is behind a firewall which blocks incoming connections.

   This is a must if the machines have global addresses (regardless of IP version). Quite important even if the address are private (behind a NAT), even though people tend to confuse this with the NAT itself.

3. The machines have local (host) firewalls which block incoming connections, or just specifically incoming ICMP pings.

   This is the default on standalone Windows systems: they only accept pings from their local subnet and drop them from anywhere else.

4. The DNS domain has multiple views: internal queries see different mappings than the general public does. Often the "public" view doesn't have internal hosts at all.

   (This is not a standard DNS feature, but many authoritative servers such as Bind implement it – by checking the source IP of the query.)

desktop-x is assigned a private ip dynamically by DHCP

There are three options:

1. When Active Directory is in use, workstations self-register by sending DNS "UPDATE" packets to the domain controller (which is authoritative for the DNS zone that the AD domain uses).

   (This is possible even without AD – but then you need to allow unauthenticated updates, or set up custom update methods. AD meanwhile uses Kerberos.)

2. When DHCP is in use, most workstations will report their hostname in the DHCP request packet. The DHCP server will then contact the authoritative DNS server (quite possibly using the same DNS "UPDATE") to insert the hostname into DNS.

   This is exactly how local hostnames (.lan/.home domains) are implemented in consumer routers.

3. Finally, the DNS mappings may be added manually, if the DHCP server has manually configured leases for all machines, issuing them static addresses.

   (Nowhere in DHCP does it say that addresses must be temporary, random, or private. A static lease assigning a global address is perfectly valid.)

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Sometimes you can.

The usual reasons why it won't work for most domains:

1. The machines have private (RFC1918) IPv4 addresses, which are unreachable outside the site – the Internet has no route for them.

   This is usually, but not always, the case. Some organizations have massive pools of global IPv4 addresses (e.g. MIT had an /8) and every machine can get one. And some organizations run IPv6, in which every machine always gets one.

2. The network is behind a firewall which blocks incoming connections.

   This is a must if the machines have global addresses (regardless of IP version). Quite important even if the address are private (behind a NAT), even though people tend to confuse this with the NAT itself.

3. The machines have local (host) firewalls which block incoming connections, or just specifically incoming ICMP pings.

   This is the default on standalone Windows systems: they only accept pings from their local subnet and drop them from anywhere else.

desktop-x is assigned a private ip dynamically by DHCP

There are three options:

1. When Active Directory is in use, workstations self-register by sending DNS "UPDATE" packets to the authoritative server (which is usually the AD domain controller).

   This is possible even without AD – but then you need to allow unauthenticated updates, or set up custom update methods. AD just automates it using Kerberos (i.e. GSS-TSIG).

2. When DHCP is in use, most workstations will report their hostname in the DHCP request packet. The DHCP server will then contact the authoritative DNS server (quite possibly using the same DNS "UPDATE", as isc-dhcpd does) to insert the hostname into DNS.

   This is exactly how local hostnames (.lan/.home domains) are implemented in consumer routers.

3. Finally, the DNS mappings may be added manually, if the DHCP server has manually configured leases for all machines, issuing them static addresses.

   (Nowhere in DHCP does it say that addresses must be temporary, random, or private. A static lease assigning a global address is perfectly valid.)

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Sometimes you can.

The usual reasons why it won't work for most domains:

1. The machines have private (RFC1918) IPv4 addresses, which are unreachable outside the site – the Internet has no route for them.

   This is usually, but not always, the case. Some organizations have massive pools of global IPv4 addresses (e.g. MIT had an /8) and every machine can get one. And some organizations run IPv6, in which every machine always gets one.

2. The network is behind a firewall which blocks incoming connections.

   This is a must if the machines have global addresses (regardless of IP version). Quite important even if the address are private (behind a NAT), even though people tend to confuse this with the NAT itself.

3. The machines have local (host) firewalls which block incoming connections, or just specifically incoming ICMP pings.

   This is the default on standalone Windows systems: they only accept pings from their local subnet and drop them from anywhere else.

4. The DNS domain has multiple views: internal queries see different mappings than the general public does. Often the "public" view doesn't have internal hosts at all.

   (This is not a standard DNS feature, but many authoritative servers such as Bind implement it – by checking the source IP of the query.)