DNS A record has local IP NAT to a global ip, does it work??

Joe M · Nov 26, 2003

Hi, I have two DNS servers with internal ip addresses of 192.168.100.50
and 192.168.100.60. They are NAT to global ip addresses eg, 203.145.145.145
and 203.145.145.148 and the web server is 192.168.100.70 NAT to global ip
203.145.145.200 . My domain name is eg. www.mydomain.com. Whenever I ping
www.mydomain.com . The ip address returned is 192.168.100.70 for the
server instead of the required 203.145.145.200. Therefore my webserver is
still not working. Even when I ping my DNS servers ns1.mydomain.com,
ns2.mydomain.com, the private LAN addresses 192.168.100.60, 192.168.100.70
are returned and not the required global addresses. What's the fix to get
the web server to return the global ip address instead of the internal LAN
address.

Kevin D. Goodknecht [MVP] · Nov 26, 2003

In

Joe M said:
Hi, I have two DNS servers with internal ip addresses of
192.168.100.50 and 192.168.100.60. They are NAT to global ip
addresses eg, 203.145.145.145 and 203.145.145.148 and the web server
is 192.168.100.70 NAT to global ip 203.145.145.200 . My domain name
is eg. www.mydomain.com. Whenever I ping www.mydomain.com . The
ip address returned is 192.168.100.70 for the server instead of the
required 203.145.145.200. Therefore my webserver is still not
working. Even when I ping my DNS servers ns1.mydomain.com,
ns2.mydomain.com, the private LAN addresses 192.168.100.60,
192.168.100.70 are returned and not the required global addresses.
What's the fix to get the web server to return the global ip address
instead of the internal LAN address.

Do you have an Active Directory domain?
Is the public domain name also the name of your active directory domain?
Is the www record an A record or an Alias (CNAME) record?

Ace Fekay [MVP] · Nov 26, 2003

In

Joe M said:
Hi, I have two DNS servers with internal ip addresses of
192.168.100.50 and 192.168.100.60. They are NAT to global ip
addresses eg, 203.145.145.145 and 203.145.145.148 and the web server
is 192.168.100.70 NAT to global ip 203.145.145.200 . My domain name
is eg. www.mydomain.com. Whenever I ping www.mydomain.com . The
ip address returned is 192.168.100.70 for the server instead of the
required 203.145.145.200. Therefore my webserver is still not
working. Even when I ping my DNS servers ns1.mydomain.com,
ns2.mydomain.com, the private LAN addresses 192.168.100.60,
192.168.100.70 are returned and not the required global addresses.
What's the fix to get the web server to return the global ip address
instead of the internal LAN address.

You'll need a separate DNS server to host public IPs. You cannot mix private
and public IPs (which you are referring to as "global" IPs) on the same DNS
server, or results such as what you're experiencing will occur. It's just
one of those stipulations...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Dodo · Nov 26, 2003

Delete the forward lookup zones, www.mydomain.com and mydomain.com. Create a
new forward lookup zone called mydomain.com -do not allow dynamic updates-
and add the following resource records:
name type value
same as parent a 203.145.145.200
www cname mydomain.com.

Michael Johnston [MSFT] · Nov 26, 2003

Make sure the "www" record on has the external IP address listed. Do the same for the NS records too. If the zone is AD
integrated, you will need to change it to standard primary on one of the DNS server and setup a secondary on the other. DNS
servers with AD integrated zones will automatically populate all their records in the zone, causing the private addresses to be
listed.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

Dodo · Nov 26, 2003

The following may not look right if you view it as plain text.

I think you'll be better off with a configuration like this:

203.145.145.145 primary dns server 10.0.0.3-------------
/ \
WAN-switch-203.145.145.200 secondary dns/rras server 10.0.0.1-switch-10.0.0.4 router 192.168.100.1-LAN
\ /
203.145.145.148 web server 10.0.0.2---------------------

Interfaces that should be firewalled:
203.145.145.145
203.145.145.148
203.145.145.200
10.0.0.4

If you want an internal DNS you can install DNS on the web server or place one on a static IP anywhere within the LAN.

What is the brand/model of your router?

Joe M · Nov 26, 2003

I've got a Cisco 1605R router.

The following may not look right if you view it as plain text.

I think you'll be better off with a configuration like this:

203.145.145.145 primary dns server 10.0.0.3-------------
/ \
WAN-switch-203.145.145.200 secondary dns/rras server 10.0.0.1-switch-10.0.0.4 router 192.168.100.1-LAN
\ /
203.145.145.148 web server 10.0.0.2---------------------

Interfaces that should be firewalled:
203.145.145.145
203.145.145.148
203.145.145.200
10.0.0.4

If you want an internal DNS you can install DNS on the web server or place one on a static IP anywhere within the LAN.

What is the brand/model of your router?

Joe M · Nov 26, 2003

Yes my Active directory Domain is eg.. mydomain.local.
No, the public domains are standard primary and there's 3 of them.
mydomain.net
mydomain.com
mydomain.org

This is how I typically set entries in one of them, it works
intermittently..

same as parent soa june.mydomain.net
same as parent ns june.mydomain.net
june A 192.168.100.60
june A 203.145.145.145
surfer A 192.168.100.70
surfer A 203.145.145.200
www alias june.mydomain.net (the 203.145.145.200 entry)

It's works intermittently. I want my DNS to support all 3 + more domain
names.

Ace Fekay [MVP] · Nov 27, 2003

In

Joe M said:
Yes my Active directory Domain is eg.. mydomain.local.
No, the public domains are standard primary and there's 3 of them.
mydomain.net
mydomain.com
mydomain.org

This is how I typically set entries in one of them, it works
intermittently..

same as parent soa june.mydomain.net
same as parent ns june.mydomain.net
june A 192.168.100.60
june A 203.145.145.145
surfer A 192.168.100.70
surfer A 203.145.145.200
www alias june.mydomain.net (the 203.145.145.200
entry)

It's works intermittently. I want my DNS to support all 3 + more
domain names.

Your mixed private and public IPs in your zone just confirms what I
mentioned. You cannot mix these up in a zone or you will get the
undesireable effects you're experiencing. You'll have to separate them on
separate DNS servers. No real way around this, especially if the internal
servers are needed for AD. If not needed for AD, you'll still need two, one
for public data, one for private data or the internal folks will get an
external IP that is your NAT's WAN IP, which the NAT device will NOT send
the traffic back in so they won;'t be able to get to the web page.

They (either internal or external users) can get lucky due to Round Robin
functionality where it may just happen to give them the internal IP to get
to the internal site or the external IP to the external users. But it's a
50-50 shot. So they're either getting the private IP or public, so about 50%
of Internet users will get the public IP, the other 50% will get the private
IP, which would be useless to them.

Seaparate DNS servers...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Joe M · Nov 27, 2003

Thanks Ace,
How do I get the public DNS and private DNS to link to each other?
I presume this is how I would set up the two DNS servers.
Does the public DNS server must have a public ip for it's network card??
203.145.145.145 or I can still use NAT ,203.145.145.145 NAT
192.168.100.60.
On my public DNS server ns1.mydomain.net the
eg. same as parent soa june.mydomain.net
same as parent ns june.mydomain.net
same as parent ns july.mydomain.net
july A 192.168.100.50
june A 203.145.145.145
surfer A 203.145.145.200
www alias surfer.mydomain.net

I presume my private DNS server would be
same as parent soa july.mydomain.net
same as parent ns june.mydomain.net
same as parent ns july.mydomain.net
june A 192.168.100.60
july A 192.168.100.50
surfer A 192.168.100.70
www alias surfer.mydomain.net

Are these correct? If not please correct it.

"Ace Fekay [MVP]"

Ace Fekay [MVP] · Nov 27, 2003

In

Joe M said:
Thanks Ace,
How do I get the public DNS and private DNS to link to each other?

No linking here, or I don't understand your use of the word.

Maybe you mean:
To ensure AD functionality and efficient Internet resolution, make sure all
your internal machines (DCs and clients alike) only point to the private DNS
in their IP properties. Don't point it the public DNS server or the ISP's in
their IP properties. In the private DNS server, configure a forwarder to the
ISP or the "public" DNS server. I normally choose the ISP to eliminate the
hop since most queries are going outbound anyway and your users are NOT
always going to the internal website. You can also choose the "public" DNS
server for the forwarder.

I presume this is how I would set up the two DNS servers.
Does the public DNS server must have a public ip for it's network
card??

No it doesn't. That would cause it to miscommunicate on your network.

203.145.145.145 or I can still use NAT ,203.145.145.145 NAT

192.168.100.60.

Both servers would only require the private IP in their NICs, not the public
IP. Port remap UDP and TCP to the "public" server.

On my public DNS server ns1.mydomain.net the
eg. same as parent soa june.mydomain.net
same as parent ns june.mydomain.net
same as parent ns july.mydomain.net
july A 192.168.100.50
june A 203.145.145.145
surfer A 203.145.145.200
www alias surfer.mydomain.net

In the above, remove:
july A 192.168.100.50
Also under the nameservers tab, you'll want to provide the name with it's
public IP and remove the private IP.

I presume my private DNS server would be
same as parent soa july.mydomain.net
same as parent ns june.mydomain.net
same as parent ns july.mydomain.net
june A 192.168.100.60
july A 192.168.100.50
surfer A 192.168.100.70
www alias surfer.mydomain.net

The above is fine for internal use.

Are these correct? If not please correct it.

You

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

DNS A record has local IP NAT to a global ip, does it work??

Joe M

Kevin D. Goodknecht [MVP]

Ace Fekay [MVP]

Dodo

Michael Johnston [MSFT]

Dodo

Joe M

Joe M

Ace Fekay [MVP]

Joe M

Ace Fekay [MVP]