dns + firewall?

  • Thread starter Thread starter Eric
  • Start date Start date
E

Eric

This is probably stupid, but we have a network with a firewall where the
webbserver is an IIS/Win 2k which is on the dmz. Everything works fine
*except* for the internal computers where we have a problem with the domain.
Normaly it's www.company.com, we have an alias that's lan.company.com
created with an alias that works but we would like to use the regular
www.spider.se. The reason is that every webpage we create from the "inside"
can't use the same absolut links as from the "outside" which is disturbing.

I *think* you can do som sort of forwarding thing in the Win 2k dns to fix
this but I don't know how.

Any ideas?

/e
 
Eric said:
This is probably stupid, but we have a network with a firewall where the
webbserver is an IIS/Win 2k which is on the dmz. Everything works fine
*except* for the internal computers where we have a problem with the domain.
Normaly it's www.company.com, we have an alias that's lan.company.com
created with an alias that works but we would like to use the regular
www.spider.se. The reason is that every webpage we create from the "inside"
can't use the same absolut links as from the "outside" which is
Click to expand...
disturbing.

It's not a stupid question, but it isn't exactly clear where the
problem is, or what you wish to accomplish that you cannot.

What is your internal domain name?

Do you have separate internal and external DNS servers?
I *think* you can do som sort of forwarding thing in the Win 2k dns to fix
this but I don't know how.
Click to expand...

The standard method is for all of the INTERNAL machines
to be DNS clients of the internal DNS.

The internal DNS then forwards to the ISP or the DMS/firewall
DNS server which handles all public zone resolution.


Internal DNS:
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.
 
Ok! I reallys suck at this so slow and easy please. :-/

We have a firewall (linux) that does a portforward on port 80 to the dmz
win 2k-machine where the webb and the dns is located. The rest of the
computers is "inside" the firewall, including the "main Win 2k computer" to
which all the work stations log on.

Everything works fine, external computers can access the dmz win 2k-machine
webb fine, we can access the net from the inside , *but* we can only use the
address lan.company.com (or some alias) to access the dmz win 2k-machine
webb from the inside and *not* www.company.com. And that creates problems
when we want to update our site and use absolute adresses.

Don't know if I made it clearer...:-/

/e
 
In
Eric said:
Ok! I reallys suck at this so slow and easy please. :-/

We have a firewall (linux) that does a portforward on
port 80 to the dmz win 2k-machine where the webb and the
dns is located. The rest of the computers is "inside" the
firewall, including the "main Win 2k computer" to which
all the work stations log on.

Everything works fine, external computers can access the
dmz win 2k-machine webb fine, we can access the net from
the inside , *but* we can only use the address
lan.company.com (or some alias) to access the dmz win
2k-machine webb from the inside and *not*
www.company.com. And that creates problems when we want
to update our site and use absolute adresses.
Click to expand...

Can I assume that all users are using only the Win2k that is _NOT_ in the
DMZ for DNS?
Local computers will not be able to use the DNS in the DMZ for DNS because
if I getting the picture right, it has public DNS zones.
That being said, in the DNS server for the internal LAN, create a zone named
company.com, with records for www and or whatever with the private IP of the
webserver in the DMZ.
If www.company.com is the only name you need to access on the DMZ server, I
would create a zone for that name (www.company.com), then create a blank
host with the IP of the web server in the DMZ, this will prevent the local
DNS from intercepting names that can be accessed from inside the LAN by the
public addresses.
 
Eric said:
Ok! I reallys suck at this so slow and easy please. :-/
Click to expand...

No problem - in fact if you work with me (especially) you
will find I continuously encourage "BE SPECIFIC", SIMPLIFY,
DIVIDE and CONQUER to solve 'hard problems.'
We have a firewall (linux) that does a portforward on port 80 to the dmz
win 2k-machine where the webb and the dns is located.
Click to expand...

The DNS for the public resolution from the Internet?
(If so, this would better be placed at the "Registrar" but for now
let's continue.)

If you are mixing Public and Privat DNS on one server (and
are not a true expert) then you are just asking for trouble - that
is ALMOST UNWORKABLE.
The rest of the
computers is "inside" the firewall, including the "main Win 2k computer" to
which all the work stations log on.

Everything works fine, external computers can access the dmz win 2k-machine
webb fine, we can access the net from the inside , *but* we can only use the
address lan.company.com (or some alias) to access the dmz win 2k-machine
webb from the inside and *not* www.company.com. And that creates problems
when we want to update our site and use absolute adresses.
Click to expand...

What about the rest of the Internet? Can the internal users resolve those
names? If so you are likely using actual recursion or forwarding correctly
and the problem likely resides somewhere else.

You haven't explained clearly which is your INTERNAL zone/domain
name (lan.company.com?) and which is your EXTERNAL zone/domain
for the web server (company.com)?

Do you have a ZONE named "lan.company.com" or is that an alias
for www.company.com (the web server itself)?

If the latter, you likely don't have the PUBLIC resources listed (manually)
on the INTERNAL version of the zone/domain DNS servers.

Having separate DNS server (set) for internal/external DNS that use the
same zone/domain name is called "Shadow DNS" (aka: split DNS)
and requires that you add ALL of the external resources you wish internal
users to resolve to both the external AND the internal versions of the zone.

If you aren't using the same name, then you need to teach the internal
DNS servers how to resolve "the Internet" (external names) -- the
preferred way is to forward to an ISP (or intermediate firewall/DMZ
DNS) that resolves the public names.

Give the name of each zone
Explain where each zone is held (which servers/where located)
Explain how you resolve the Internet (if you can)
Explain any forwarding you use
Explain which DNS server(s) appear on all internal client (all machines
really)

Internal clients should use ONLY internal DNS servers (if you have
them, and you almost certainly SHOULD have them.)
 
Can I assume that all users are using only the Win2k that is _NOT_ in the
DMZ for DNS?
Click to expand...

eh? they are using computers/workstations that's not in the dmz. and they
logon to the computer that's not in the dmz.
Local computers will not be able to use the DNS in the DMZ for DNS because
if I getting the picture right, it has public DNS zones.
That being said, in the DNS server for the internal LAN, create a zone named
company.com, with records for www and or whatever with the private IP of the
webserver in the DMZ.
If www.company.com is the only name you need to access on the DMZ server, I
would create a zone for that name (www.company.com), then create a blank
host with the IP of the web server in the DMZ, this will prevent the local
DNS from intercepting names that can be accessed from inside the LAN by the
public addresses.
Click to expand...

let's see know. I created a new zone called www.company.com. there I created
a blank host with the same IP as the dns/webb. but njet... :/

/e
 
ha!! U r the king! Now it worked! Thank you, this has been a pain in the
butt for some time now!!

:))))

/e
 
Hi Herb!

I put together a *fat* answer to you, but then all of a sudden Kevins
solution made it. Thanks for your help, really appreciate it!

:)

/e
 
In
Eric said:
ha!! U r the king! Now it worked! Thank you, this has
been a pain in the butt for some time now!!
Click to expand...

You probably had to wait for the negative answer TTL to expire in the Client
DNS cache, ipconfig /flushdns would have made it work immediately.
 
Sigh...It seems that that dns also is the primary dns and if you add the
www.company.com zone it sends out a change to the internet dns-servers and
then you cant't reach the site from the outside...:/

Any thoughts?

/e
 
In
Eric said:
Sigh...It seems that that dns also is the primary dns and if you add
the www.company.com zone it sends out a change to the internet
dns-servers and then you cant't reach the site from the outside...:/

Any thoughts?

/e
Click to expand...

Apparently you are hosting external data on an internal machine. This is not
wise and suggested to use separate physical DNS servers, one for the
internal namespace, one for the external namespace. Do not mix private and
public data. Lanwench gave you a great response based on this in that other
new thread you started.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In
Eric said:
Sigh...It seems that that dns also is the primary dns and
if you add the www.company.com zone it sends out a change
to the internet dns-servers and then you cant't reach the
site from the outside...:/

Any thoughts?
Click to expand...

What in the world are you trying to run the same DNS data for both internal
and external resolution?
 
ok, we changed some pointers in the firewall and now it seems to be working.
thanks for everyone's help, really appreciating it!

/e
 
In
Eric said:
ok, we changed some pointers in the firewall and now it seems to be
working. thanks for everyone's help, really appreciating it!

/e
Click to expand...

Glad you got it fixed.
 
Back
Top