0

In our Windows environment, our clients register their own DNS. We have local Windows DNS servers and a firewall that assigns a separate range for VPN connections.

Recently we have seen one of our machines register two listings in DNS - one in the correct range for VPN and one with a "100.91.47.x" IP address. Wikipedia lists this range as:

Used for communications between a service provider and its subscribers when using a carrier-grade NAT[3]

The description for this doesn't make sense to me or why it would be happening. This address is not in any ranges we assign through DHCP and we've never seen it with any other machine before. The machine in question is a tablet with a 4G connection card, which may have something to do with it.

Any ideas why this machine is coming up twice in DNS with this second "100.x.x.x" IP address? Am curious to know the reason.

Matt8
  • 11
  • 1
  • 3
  • Did you look at the tablet and see where it's getting the address from? It's almost certain to be the 4G interface Q.E.D. – user9517 Aug 19 '16 at 13:24
  • Its remote at the moment, so I haven't yet. I was trying to run a remote ipconfig but its off the network at the moment so I can't. – Matt8 Aug 19 '16 at 13:27

2 Answers2

1

There aren't enough IPv4 addresses.

There haven't been enough for a long time, so NAT was deployed. Your PC doesn't get a public address, your internet router does and your PC shares its address. The address your PC gets is normally from the RFC1918 private address ranges:

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

Those addresses aren't globally unique and can each be used by multiple devices as long as they're on separate private networks, so problem solved, at least until we get everyone on IPv6. But that turns out to be taking a long time and in the meantime everybody in the world wants a mobile phone, each with an address from the ISP. There are around four billion IPv4 addresses and more than seven billion people, so that's not possible.

As a result carriers are having to do the same thing and NAT the phones. But they can't use RFC1918 addresses because they could conflict with what's being used by the customer, so they asked for their own address range to do that with. It looks like that 4G provider is using them.

zrm
  • 636
  • 6
  • 6
0

Sounds like a NAT & firewall policy that's set to allow "any" in from the VPN when it really shouldn't. When the firewall policy allows the source of "any" through the firewall, it's NAT'd address will be allowed to go through as well once it's authenticated and will show up in DNS as an option because it hit the server prior to the NAT taking place, but Layer 3 doesn't exist as far as routing to that 100.x address, so it's not a huge deal.

JustALittleITGuy
  • 41
  • 5