DNS for internal and public net

[news.microsoft.com]

If i configured SBS when I installed AD with "xyz.local" domain name could I
run a DNS for the real domain xyz.com?
Now I use tcp-ip, DHCP and DNS for internal network; ISA proxy and firewall
for Internet and filtering. They run ok.
Now I want www.xyz.com and I want to configure the Exchange Server. Is it
possible?

Thanx for any help.

 

[Ace Fekay [MVP]]

In

If i configured SBS when I installed AD with "xyz.local" domain name
could I run a DNS for the real domain xyz.com?
Now I use tcp-ip, DHCP and DNS for internal network; ISA proxy and
firewall for Internet and filtering. They run ok.
Now I want www.xyz.com and I want to configure the Exchange Server.
Is it possible?

Thanx for any help.

You'll need a separate DNS server for the public records. Maybe you can get
another box internally, configure DNS on it, port remap (or publish in ISA)
the DNS server (ports UDP and TCP 53).

Can't mix public and private data on a DNS.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[news.microsoft.com]

What do you mean "Maybe you can get another box internally"?
port remap the new DNS server why?

And why we can't mix public and private data on a DNS.

Regards,
Mircea

"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht [MVP]]

In

What do you mean "Maybe you can get another box internally"?
port remap the new DNS server why?

And why we can't mix public and private data on a DNS.

If it is the same zone you cannot, if you host the public xyz.com zone and
its web site are also hosted locally you will not be able to access its web
sites by their public addresses. You are going to need one DNS server for
the local machines to use and one DNS for the rest of us who are not behind
your router and cannot access your web sites and or mail servers by the
private addesses.

So now you say why can't I put two records of the same name in the same zone
one with a private address and one with a public address?
Do you have some way of controlling which record gets handed out to who?

Do you think we are telling you this for some other reason than what we are
telling you?
It is not like we are going to sell you another machine or even care if you
get one. You need two DNS servers minimum. Actually you need three minimum
because you need two for your public DNS, that is the minimum required. But
I realized that you can point two IP addresses at the same DNS server and
nobody will know but you.

 

[Ace Fekay [MVP]]

In

What do you mean "Maybe you can get another box internally"?
port remap the new DNS server why?

And why we can't mix public and private data on a DNS.

Regards,
Mircea

If you look a few threads below this post to a thread called:
DNS A record has local IP NAT to a global ip, does it work??

I posted an explanation. I will re-post it here for your convenience, but I
would urge you to read the whole thread.

<start of post>
===========================
In

Yes my Active directory Domain is eg.. mydomain.local.
No, the public domains are standard primary and there's 3 of them.
mydomain.net
mydomain.com
mydomain.org

This is how I typically set entries in one of them, it works
intermittently..

same as parent soa june.mydomain.net
same as parent ns june.mydomain.net
june A 192.168.100.60
june A 203.145.145.145
surfer A 192.168.100.70
surfer A 203.145.145.200
www alias june.mydomain.net (the 203.145.145.200
entry)

It's works intermittently. I want my DNS to support all 3 + more
domain names.

Your mixed private and public IPs in your zone just confirms what I
mentioned. You cannot mix these up in a zone or you will get the
undesireable effects you're experiencing. You'll have to separate them on
separate DNS servers. No real way around this, especially if the internal
servers are needed for AD. If not needed for AD, you'll still need two, one
for public data, one for private data or the internal folks will get an
external IP that is your NAT's WAN IP, which the NAT device will NOT send
the traffic back in so they won;'t be able to get to the web page.

They (either internal or external users) can get lucky due to Round Robin
functionality where it may just happen to give them the internal IP to get
to the internal site or the external IP to the external users. But it's a
50-50 shot. So they're either getting the private IP or public, so about 50%
of Internet users will get the public IP, the other 50% will get the private
IP, which would be useless to them.

Seaparate DNS servers...
========================================
<end of post>


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

What do you mean "Maybe you can get another box internally"?
port remap the new DNS server why?

And why we can't mix public and private data on a DNS.

And yes, I'm not, as well as Kevin, or anyone else here for that matter,
trying to sell you any hardware.

We're here just to point out the facts.

Ace

 

[news.microsoft.com]

I'm sorry both of you Kevin and Ace if my words led you to such conclusions.
I'm only a bit frustrated cause is not my machine but a friend I'd like to
help and I thought is just a problem to get help configuring it not that it
cannot be done in the actual context.
Don't get me wrong, but on a linux I have, I can run two named demons (dns
server equivalent) one for internal network one for exterior where are
defined 2,3, ... zones hosting so as many Internet domains as I wish.
By the way Kevin, what keeps me to have only one zone. I have a zone created
for company.local when I installed Active Directory and recently I created
another zone for company.com

But maybe I was not able to explain exactly my problem so hoping not to
upset you I'll try to explain again in more detail. Please be patient with
me.
I have a machine:
- 2 ethernet interfaces one with a public IP connected to my ISP, the
other with private IP address connected to my internal network with SBS
2000,
- installed AD with the next complete domain name "company.local" as
wizard recommends so DNS was configured a zone company.local.
- In the meantime we got company.com and we are about to got two IP
addresses point to company.com as nameservers: first is the ns of my ISP and
the other I thought will be the IP address on my external interface (so to
meet the minimum request of two nameservers Kevin talk about).
- is it wrong to add another zone "company.com" ?

Mircea

 

[Jonathan de Boyne Pollard]

n> Don't get me wrong, but on a linux I have, I can run two
n> named demons [...] one for internal network one for exterior
n> where are defined 2,3, ... zones hosting so as many Internet
n> domains as I wish.

With the various kinds of DNS server softwares that exist for Unix and Linux,
one can easily run multiple, parallel, DNS server instances (listening on
distinct IP addresses). Microsoft's DNS server simply does not support (or,
at least, provide an easy means for configuring, since I suspect that it
_might_ be possible) multiple parallel server instances running on a single
machine.

n> But maybe I was not able to explain exactly my problem [...]

Indeed. Nothing in _this_ explanation justifies your previous requirement
that you be able to

n> [...] mix public and private data [...]

since in _this_ explanation there are not actually two such data sets to mix.

 

[Kevin D. Goodknecht [MVP]]

In

I'm sorry both of you Kevin and Ace if my words led you to such
conclusions. I'm only a bit frustrated cause is not my machine but a
friend I'd like to help and I thought is just a problem to get help
configuring it not that it cannot be done in the actual context.
Don't get me wrong, but on a linux I have, I can run two named demons
(dns server equivalent) one for internal network one for exterior
where are defined 2,3, ... zones hosting so as many Internet domains
as I wish.

Network views is one thing that BIND supports that Win2k DNS does not, it is
on our wish list. Win2k can only hold one view in one zone, either the
internal view or the public view. If you try to put both views in one zone
it will cause inconsistent resolution.
Views are on our wish list though.

By the way Kevin, what keeps me to have only one zone. I have a zone
created for company.local when I installed Active Directory and
recently I created another zone for company.com

But maybe I was not able to explain exactly my problem so hoping not
to upset you I'll try to explain again in more detail. Please be
patient with me.
I have a machine:
- 2 ethernet interfaces one with a public IP connected to my ISP,
the other with private IP address connected to my internal network
with SBS 2000,
- installed AD with the next complete domain name "company.local"
as wizard recommends so DNS was configured a zone company.local.
- In the meantime we got company.com and we are about to got two
IP addresses point to company.com as nameservers: first is the ns of
my ISP and the other I thought will be the IP address on my external
interface (so to meet the minimum request of two nameservers Kevin
talk about). - is it wrong to add another zone "company.com" ?

That would be the two DNS servers you need to register a name on the
internet. I assume your ISP wil be a secondary zone pulling records from
your DNS server?
That is fine that way but understand, your Public DNS zone must not have any
records with private IPs. Remember, it is your Public DNS zone, and noboby
on the internet can access any servers or web sites hosted locally by you by
their private IPs.


If it seemed like I was short with you, I was just trying to get your
attention, right now there are no less that five threads in this group right
now asking the same question, plus a few more started by the same person.