NSLOOKUP and DNS respones...

  • Thread starter Thread starter Ron Mitchell
  • Start date Start date
R

Ron Mitchell

Not being rich in $$$$$$$ all we have is a single W2K
Server with AD, DNS, DHCP behind a firewall. The
firewall is providing NAT, so the external IP is
translated to the NAT ip of the Server....
Here's the problem: If you do an NSLOOKUP xxxx.com, you
get back the NAT IP and the Real External IP...all that
should come back is the real External IP...however I've
been unable to discover just how to prevent the NAT IP
from coming back too...there are some UNIX email servers
that seem to have a real problem in looking up MX
records...so it causes a problem...any and all thoughts
on this issue are welcomed.
Thanks.
Ron Mitchell
 
This is the problem with using one dns server for both internal and external
addresses, especially in the same zone. Get another w2k server or use bind
on unix or xp for your external/public addresses. You can also just use
your registrar to host your few public IPs and be done with it. Should not
cost any money or very little and you offload the work to someone your
registrar that is equipped to do this.
 
In Ron Mitchell <[email protected]> posted a question
Then Kevin replied below:
: Not being rich in $$$$$$$ all we have is a single W2K
: Server with AD, DNS, DHCP behind a firewall. The
: firewall is providing NAT, so the external IP is
: translated to the NAT ip of the Server....
: Here's the problem: If you do an NSLOOKUP xxxx.com, you
: get back the NAT IP and the Real External IP...all that
: should come back is the real External IP...however I've
: been unable to discover just how to prevent the NAT IP
: from coming back too...there are some UNIX email servers
: that seem to have a real problem in looking up MX
: records...so it causes a problem...any and all thoughts
: on this issue are welcomed.
: Thanks.
: Ron Mitchell

If a private address is being returned to public clients how did the private
record get into the public zone?
I think there is something more going on here that you left out. Where is
the public DNS zone for xxxx.com being hosted?
Does this have something to do with your AD domain?
Tell me you are not trying to share a single zone for both internal and
public namespaces. You cannot do that. Public zones and private zones must
be kept completely separate on different DNS servers.

A little more information on your configuration would help.

That being said, Active Directory must have a DNS server hosted locally that
only AD Domain members must use. It should not need any MX records because
local mail servers do not need to see MX records for local domains. Other
public mail servers will look in public DNS zones for MX records for domains
they do not know.
Now, where is the mail server that is finding an MX record that points to a
a host that has a private address?
Where is the zone that has an MX record that points to a mail server host
name that resolves to a private address?
Throw me a bone :-) and I'll tell you what is configure wrong and how to
correct it.
I need the actual domain name so I can do the lookups for the MX records
giving me bogus names isn't giving me a clue.
When I do an MX lookup for xxxx.com it returns not a record that can even be
NAT'd, it returns a loopback address.
xxxx.com MX
Click to expand...

NetDig 1.7
opcode: QUERY, status: NOERROR, id: 23
flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

QUESTION SECTION:
xxxx.com. IN MX

ANSWER SECTION:
xxxx.com. 3600 IN MX 0 mail.xxxx.com.

ADDITIONAL SECTION:
mail.xxxx.com. 3600 IN A 127.0.0.1

Query time: 550.792 ms
Server : 192.168.0.2:53 (192.168.0.2)
When : 1/24/2004 10:45:00 PM
Size rcvd : 63
 
In
William Stacey said:
This is the problem with using one dns server for both internal and
external addresses, especially in the same zone. Get another w2k
server or use bind on unix or xp for your external/public addresses.
You can also just use your registrar to host your few public IPs and
be done with it. Should not cost any money or very little and you
offload the work to someone your registrar that is equipped to do
this.
Click to expand...

An old unused or little used workstation with W2k server installed on it
will work fine for this task.
:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top