DMZ DNS help

  • Thread starter Thread starter Andrew
  • Start date Start date
A

Andrew

I posted a day or two ago about this same issue and have
had some progress since, but still have some questions.

I have a DNS server in our dirty DMZ. Our ISP hosts 3
domain names for us; www.domaina.com, www.domainb.com,
demo.domaina.com.

Their dns entries for those domain names point to the IP
of our DNS server in the dirty dmz. Our DNS server, in
turn points to the web server that hosts these 3 sites on
the protected dmz. I have set up 2 zones on that dns
server; domaina.com, and domainb.com. On domaina.com, I
created two host records; "www" and "demo". On the
domainb.com, I created one host record; "www". All of
these records point the the IP address of the Web Server's
NIC card.

IIS is also installed on this DNS server because it is
also handling SMTP forwarding.

Whenever someone from the outside types in one of the
URL's, it says that the page is under construction or that
there is no default web page. Why is it doing this? I am
under the impression that it should be forwarding those
DNS queries to the web server. Am I missing something
within the configuration of IIS on the web server or IIS
on the DNS server?

The websites work fine from the inside when we type
http://<servername/.

I'm new to DNS and I'm stumped. Any help would be
appreciated. Thanks.
 
It sounds as though you may be using IP and/or
host header discrimination in IIS to determine
which web site to present. If so, that configuration
is likely your problem, not DNS -- which sounds as
though it is is configured just fine.

DNS does not -- to be really specific -- "forward" anything.
It is a service that translates a name to an IP address and that's about
it. That IP address in turn is what is used by the browser client to
contact the appropriate web server. However, the http information that
is sent also contains the complete host name string, which is what is
used by host header discrimination, and that is why I would
guess that may be your problem.

If that isn't it, try accessing the website by IP address rather
than by name, and see what you get. That takes DNS out
of the equation.

Steve Duff, MCSE
Ergodic Systems, Inc.
 
Before I start looking at the headers, I will tell you
that I can not access the websites by IP address either.

We are using a PIX to seprate the DNS and Web Server.

I can telnet using port 80 to the public IP address on the
PIX that is being statically mapped to the web server IP
though, so it should be working fine.

This web server has two NIC interfaces. One NIC is
assigned a DMZ subnet IP, and the other one is assinged an
Internal network IP so our inside users can access it.

It's wierd. From an inside host, if I type
www.domaina.com nothing comes up. But if I type
demo.domaina.com, it actually works. I have no idea what
is happening.

On the web server, what should the Ip address in the IIS
properties for each site list, the Internal NIC address,
or the DMZ NIC address. Right now, it is assigned the
Internal NIC address. If I change that to the DMZ nic
address, my internal users can't access the websites.


-----Original Message-----
It sounds as though you may be using IP and/or
host header discrimination in IIS to determine
which web site to present. If so, that configuration
is likely your problem, not DNS -- which sounds as
though it is is configured just fine.

DNS does not -- to be really specific -- "forward" anything.
It is a service that translates a name to an IP address and that's about
it. That IP address in turn is what is used by the browser client to
contact the appropriate web server. However, the http information that
is sent also contains the complete host name string, which is what is
used by host header discrimination, and that is why I would
guess that may be your problem.

If that isn't it, try accessing the website by IP address rather
than by name, and see what you get. That takes DNS out
of the equation.

Steve Duff, MCSE
Ergodic Systems, Inc.

"Andrew" <[email protected]> wrote in
Click to expand...
message news:[email protected]...
 
In
Andrew said:
Ok, I made sure the that web site location properties for
the domaina.com and the domainb.com websites say all
unassigned. For the demo.domaina.com website, I gave it
the IP address of the DMZ subnet (becuase only people from
the outside need to access that) and that works fine. The
regular domaina.com and domainb.com websites still do not
work though.

Also, I want my internal users to be able to access
www.domaina.com from the inside so I created a forward
lookup zone on our internal dns server and created a www
host and pointed it to the internal nic address of the web
server.

When I go to a browser from a machine on the inside and
type www.domaina.com, nothing comes up. What am I doing
wrong?
Click to expand...

Are your internal machines pointing to this DNS server only?
do an ipconfig /flushdns and try again
 
If I understand correctly, you have two sites
(presumably both running on port 80) with
"all unassigned". So my question would be: which
one is supposed to come up? Who knows. Certainly not IIS.

You just have to approach this problem bottom up. Turn
down all the sites but one (domaina.com). Assign that site
a given IP on both the LAN >and< WAN sides (you can assign
multiple IP identities in the "Advanced" settings).
Once you have that working and can access by IP on
both sides, then make sure you can access by DNS name
on both sides. This latter step should really be trivial at
this point.

Now move on to the second site (domainb.com). Turn it up
too, give it a different pair of LAN/WAN IPs and
do the same thing. Make sure both sites are working before
you move on to #3. The third site should be no different.

If you don't have distinct IPs available on both sides
then you MUST have some other way to discriminate which
site to activate based on the incoming HTTP. You can use
a different port (not exactly adviseable for public sites),
you can use host header discrimination (which works fine but
can be a little tricky to finesse all the combinations browsers
can use). Or you can program the PIX to do magic for you --
such as port translation.

Steve Duff, MCSE
Ergodic Systems, Inc.
 
I was under the impression that "all unassigned" meant
that website was available out all interfaces.

So if I did that on both websites, then both of those
websites would be available from the same IP right?
Becuae the host header for each web site
is "www.domain.com". That was my understanding of how it
worked.
-----Original Message-----
If I understand correctly, you have two sites
(presumably both running on port 80) with
"all unassigned". So my question would be: which
one is supposed to come up? Who knows. Certainly not IIS.

You just have to approach this problem bottom up. Turn
down all the sites but one (domaina.com). Assign that site
a given IP on both the LAN >and< WAN sides (you can assign
multiple IP identities in the "Advanced" settings).
Once you have that working and can access by IP on
both sides, then make sure you can access by DNS name
on both sides. This latter step should really be trivial at
this point.

Now move on to the second site (domainb.com). Turn it up
too, give it a different pair of LAN/WAN IPs and
do the same thing. Make sure both sites are working before
you move on to #3. The third site should be no different.

If you don't have distinct IPs available on both sides
then you MUST have some other way to discriminate which
site to activate based on the incoming HTTP. You can use
a different port (not exactly adviseable for public sites),
you can use host header discrimination (which works fine but
can be a little tricky to finesse all the combinations browsers
can use). Or you can program the PIX to do magic for you - -
such as port translation.

Steve Duff, MCSE
Ergodic Systems, Inc.

"Andrew" <[email protected]> wrote in
Click to expand...
message news:[email protected]...
 
"All unassigned" means that any http traffic to any IP on
the server that isn't slotted to a specific site by IP address
will go to that site. Having two such sites thus is not
generally useful.

IOW you CAN'T (sensibly) have two websites on the same
IP >unless< you distinguish by port number or host header.
Port numbers are almost never useful for public sites.

Which takes us back to the beginning: If you are using host
headers, I am pretty sure that is your problem -- they can be
tricky. You need to put in and test all the variations of primary
hostname prefix strings that people can use to get to that
website -- otherwise the traffic will be directed to the default
site on that IP, or to no site at all if there is no site in IIS that
matches up with the request.

I recommend the latter BTW -- that is to say, no default site.
Otherwise if the header-specific website is down or too slow
to respond, people can erroneously get your default site
when they've (implicitly) requested the header-specific one.
This can be very baffling.

Steve Duff, MCSE
Ergodic Systems, Inc.
 
Back
Top