On my home gateway/router, I have multiple services running on various ports (SSH, IP camera over HTTP, etc) exposed to the internet via port forwarding. I also use these services internally while on our home network as well. I would like to be able to only set up these connections once, say home.mydomain.com:9876 for our SSH, for both internal and external use, and have them both work. But I would also like for the traffic to remain internal if I am on the internal network, e.g. I know home.mydomain.com would resolve correctly from within the internal network, but I am assuming it would go out to public DNS servers and do this lookup, then connect outbound, then back inbound, to hit the router and be port forwarded correctly.

So I believe there are really two parts in play here, the DNS lookup and the port forwarding. How can I keep all of this internal, when on our private network at home?

1 Answer 1


I am assuming it would go out to public DNS servers and do this lookup, then connect outbound, then back inbound, to hit the router and be port forwarded correctly.

In this case, home.mydomain.com will resolve to your external IP. From inside that NAT the external IP will actually refer to the router itself. The router only performs address translation/port forwarding on incomming connections from the outside of the NAT. So you won't get a connection at all, just a RST from the router.

So I believe there are really two parts in play here, the DNS lookup and the port forwarding. How can I keep all of this internal, when on our private network at home?

One way to do this is to run your own recursive caching DNS resolver (such as BIND) on your internal network. Configure all clients on your internal network (using DHCP or manually) to query your DNS server instead of a public external one. BIND can be configured in a Split DNS configuration (see chapter 4.4 of the BIND ARM). In this configuration, BIND will forward all request except ones for you internal domain (which it will answer with the internal addresses). The authoritative DNS zone for your domain (hosted on the internet somewhere) should still point to your home's external IP.

When you lookup home.mydomain.com on an external DNS server you will receive the external IP of your router (which will port forward 9876 to the appropriate internal machine). However on your internal network, your DNS resolver will respond with a different IP address (192.168.0.x) and the connection will occur internally.

  • The router will work fine if NAT U-turning is enabled. You can also use a local hosts file on the computers behind the router if you dont want to go through the trouble of setting up your own DNS. Commented Jul 21, 2015 at 19:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .