Solved

DNS problems due to conflict between internal and ISP DNS servers

Posted on 2002-04-29
31
516 Views
Last Modified: 2010-04-11
Dear Experts,

this may seem like a dumb question but let me explain my current situation.

I am on a LAN behind a firewall. I am using private IPs (10.x.x.x with subnet mask 255.0.0.0) for all the PCs on the LAN and the servers. My DNS server (10.0.0.4) is running W2k and also acting as the AD server for my domain, e.g. companya.com. This DNS server has a AD-integrated zone for companya.com with a SOA record for the companya.com domain. This server also has a public IP, e.g. 1.2.3.4 which is set via one-to-one NAT on my firewall.

However, my ISP already has an authoritative DNS server with a SOA record for the companya.com domain. So external users trying to reach a computer abc.companya.com resolves the name directly or indirectly through the ISP's DNS servers.

DNS settings for all internal users are set to 10.0.0.4 with my ISP's DNS servers set as alternate DNS servers.  So, internal users will resolve all names through the internal DNS server (10.0.0.4/1.2.3.4) which also has its forwarders property set to point to my ISP's DNS servers.

This is alright for most cases, however, there is a problema I am facing:

www.companya.com cannot be resolved through the internal DNS server! www.companya.com is my company website hosted by my ISP.

I've tried to solve this by:

1) adding a "www" host (A) record pointing to the IP address (e.g. 2.3.4.5) of my ISP's web server. This did not work because my ISP is doing some sort of mapping from www.companya.com to my website. Just accessing the IP directly will not get to www.companya.com website but will show the ISP's homepage instead.

2) setting the internal users' DNS settings such that my ISP's DNS servers come before my internal DNS server to enable resolution of www.companya.com, internal network access will be very slow due to the external DNS server resolving to 1.2.3.4 which cannot be used internally to address the 10.0.0.4 server. The internal user's machine will be trying to reach 1.2.3.4 in vain and will only try to resolve using the alternate internal DNS server after timeout which takes quite a while.

If there is any way to resolve this issue, please let me know ASAP. TIA!
0
Comment
Question by:leadsane
  • 10
  • 9
  • 5
  • +4
31 Comments
 
LVL 8

Expert Comment

by:scraig84
ID: 6977287
I am confused a bit.  You say that www.companya.com is hosted by your ISP.  However, in #2 you say that if you point people to resolve from the ISP's DNS server, they get pointed to the public address of your server.  This is conflicting information.  Where do the pages exist?  If the pages actually exist on your server, why wouldn't you point your internal A record to the internal address (10.0.0.4)?
0
 
LVL 1

Expert Comment

by:braddn
ID: 6977342
I had a similar issue a while ago. I had to call my ISP and have them actually assign a real IP address to my website. Once I did that your solution # 1 should work without any problems. It's just the fact that your website does not have a public IP assigned to it.

My ISP gave me a public IP for an additional $10 bucks a month or something like that.

Thanks!
0
 
LVL 15

Expert Comment

by:samri
ID: 6977764
Gee... the first time I read... I though I got it, the next time, I'm more confused.  Anyhow, the explanation is pretty much covered the area, just need some time to comprehend it.

I'm not sure this will work or not (very good opening statement!), but it's worth a try.  

As you did mentioned, by using your ISP dns as the first dns server seems to work. -- I presume the statement is correct.  Perhaps you could run some kind of Accelerator or ReverseProxy server (whatever the jargon is), that does the "mirroring" for your website hosted at your ISP.  FOr this machine, use your ISP DNS to make sure when the request comes in from your internal client, the Accelerator(let's stick to one term) will know where to go - the website hosted at the ISP location.  

Theoretically (I recalled doing this) this should work since name resolution on the Accelerator is using ISP's DNS, and should resolve to the right www.companya.com.

And internally, just have you client to point to your internal DNS server (as usual), but make sure your internal dns is configured to assign the IP address of this Accelerator for www.companya.com.

The next trick that might exist is; whatever platform you chose for your accelerator might make a big difference (easy or hard to implement).  I knew this should work with Squid.  Apache with mod_proxy module should work.  I do not have the specific configuration at the moment, but I believe the following segment in httpd.conf could be tested.  (This is coming from Win32 Apache 1.3.24).

<IfModule mod_proxy.c>
    ProxyRequests On
#    ProxyRemote * http://127.0.0.1:8080

    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from 10.0.0.0/255.0.0.0
    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
#    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
    CacheRoot "C:/Program Files/Apache Group/Apache/proxy"
    CacheSize 1024
    CacheGcInterval 4
    CacheMaxExpire 24
    CacheLastModifiedFactor 0.1
    CacheDefaultExpire 1
    ProxyPass         / http://www.companya.com/
    ProxyPassReverse  / http://www.companya.com/
#    NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>

More information.
http://localhost:8000/manual/mod/mod_proxy.html#proxypassreverse

Sould you are interested to venture this possibility, I should be able to help.

cheers.
0
 

Expert Comment

by:hkaufm2
ID: 6978190
Did you try removing the record from your internal DNS?
0
 

Author Comment

by:leadsane
ID: 6979749
Dear scraig84,
>I am confused a bit.  You say that www.companya.com is
>hosted by your ISP.  However, in #2 you say that if you
>point people to resolve from the ISP's DNS server, they
>get pointed to the public address of your server.
> This is conflicting information.  Where do the pages
>exist?  If the pages actually exist on your server,
>why wouldn't you point your internal A record to the
>internal address (10.0.0.4)?

Yes, www.companya.com is hosted by my ISP. My ISP's DNS servers resolve www.companya.com to one of their web servers. How is this conflicting? The pages actually exist on their web server, not on 10.0.0.4 which is the private IP of my internal DNS server (running Win2k). I don't point my internal A record to 10.0.0.4 because it is not meant to be a web server and for various reasons, I prefer not to host our company's public website on an internal web server. Else, I could have set up a internal web server and have both my internal DNS and ISP's DNS servers pointing to this web server without much problem.

Please feel free to give more suggestions.

Thanks for trying. :)
0
 
LVL 15

Expert Comment

by:samri
ID: 6979772
leadsane,

did you gave any thought on my recommendation?
0
 

Author Comment

by:leadsane
ID: 6979791
Dear braddn,

>I had a similar issue a while ago. I had to call my ISP
>and have them actually assign a real IP address
>to my website. Once I did that your solution # 1 should
>work without any problems. It's just the fact that your
>website does not have a public IP assigned to >it.
>
>My ISP gave me a public IP for an additional $10 bucks a
>month or something like that.

Hmm, I did not think of this, it's a straightforward solution. Let me check with my ISP.

However, this solution seems to just skip/bypass the problem instead of actually solve it. Is there a way to set my DNS "correctly" such that it resolves internal requests for www.companya.com correctly by going to my company's website on my ISP's web server instead of going directly to its IP address and getting mapped to my ISP's homepage?

Thanks for the help!
0
 

Author Comment

by:leadsane
ID: 6979793
Dear hkaufm2,

>Did you try removing the record from your internal DNS?

I did, removing the "www" host record from my internal DNS will result in www.companya.com being unresolvable since my internal DNS thinks it is authoritative over my domain. Adding the record will end up with browsers getting mapped to my ISP's homepage.
0
 

Author Comment

by:leadsane
ID: 6979819
Dear samri,

sorry for replying to you last 'cos your reply was the longest :P :)

using my ISP's DNS server as the first DNS server also has it's problems. For example, when it is slow and timeouts (happens too often for the current method to be a long-term solution), my LAN users will be unable to resolve www.companya.com. Using nslookup, querying for www.companya.com will work only if the timeout is set around 5 seconds, the default is 2 seconds. I've tried looking for some way to extend the default DNS resolution timeout for Windows to no avail.

I'm not sure what Accelerator and ReverseProxy are. I'm guessing that they are software for some sort of DNS re-direction. I'll do a search and check them out.

My ISP is using IIS and my company's website is also developed with it in mind (scripts and such), so Apache is not an option open to me.

Thanks for trying, your effort is plain to see. :)
0
 
LVL 15

Expert Comment

by:samri
ID: 6979850
It is an option.  I would presume, IIS should be able to do that too.  If you are using IIS5, Check the default server properties, under Home directory, pick "A Redirection to URL".  Take a look at the Help section under "Redirect Variable" and "Redirect Wildcards".

I do not have much experience with IIS.

Back to the DNS resolution, it should not be a problem, since you client will be pointing to the internal IIS for  www.companya.com.  Remember that for internal DNS, www.companya.com would be pointing to this internal Box (IIS) , while the IIS box would be using ISP dns to resolve www.companya.com.  better still, just hardcode the IP address in the hosts file (c:\winnt\system32\drivers\etc\hosts file).  So first DNS query would be timely, subsequent should be OK due to cache (if you opt for ISP DNS).

I would think that it is still an option.  Unfortunately, I cannot verify this since lack of exp. with IIS.


Other than that, the other solution would be scraig84's - get your ISP to use a separate Ip address for your (real) www.companya.com.
0
 

Author Comment

by:leadsane
ID: 6979932
Dear Samri,

Thanks for the prompt reply.

Not sure if I understand you right. Are you suggesting that I set up an internal web server to serve internal users and set this internal web server to redirect all web requests to my ISP's web server?

If so, don't think it's feasible 'cos of hardware constraints. To do what you suggested, I'll need another box with DNS settings pointing to my ISP's DNS. The present box cannot be used as it is acting as the AD domain controller and a pre-requisite of that is that it's DNS settings must point to itself first to have acceptable performance. My company doesn't want to buy another server anytime soon, so it's again not an option. :(
0
 

Author Comment

by:leadsane
ID: 6979937
Dear Samri,

Thanks for the prompt reply.

Not sure if I understand you right. Are you suggesting that I set up an internal web server to serve internal users and set this internal web server to redirect all web requests to my ISP's web server?

If so, don't think it's feasible 'cos of hardware constraints. To do what you suggested, I'll need another box with DNS settings pointing to my ISP's DNS. The present box cannot be used as it is acting as the AD domain controller and a pre-requisite of that is that it's DNS settings must point to itself first to have acceptable performance. My company doesn't want to buy another server anytime soon, so it's again not an option. :(
0
 
LVL 15

Expert Comment

by:samri
ID: 6979974
leadsane,

It looks like we are (I am) almost short of ideas.  Perhaps, you could run TCP redirection service on your existing machine.  

There are too many redirector software in the market.  But since you are tight on budget, let's go for a free one.

Bunch of them;
http://www.freefire.org/tools/index.en.php3

I personally like these:
http://www.boutell.com/rinetd/

All you need to do is create a mapping for local TCP/80 and redirect to your ISP's www.companya.com.  Remember that to the machine (the server), www.companya.com still points to local 10.x ip.  SO, you might want to use this rule:

Assuming that the ISP's www.companya.com is 111.222.333.444
10.0.0.4 80 111.222.333.444 80

Don't worry about using IP, since the packets will be transferred raw to the target hosts (111.222.333.444), when it reaches the ISP's IIS, it should examine the packet, and the host-header in the URL request should be able to channel to the right VirtualServer.

I have a strong feeling that this would work.

cheers.
0
 
LVL 15

Expert Comment

by:samri
ID: 6979979
Gee... after looking at your Question; you might be able to utilize the firewall rule to do the mapping.  Most firewall should support this.

It;s almost similar to using redirector (in fact we are doing redirection too).
 
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6980288
Leadsane - you still didn't answer my questions...

If I am understanding your posts, the web pages sit on your ISP's server.  When you point your DNS to the IP address of the ISP's web server, you are not getting your page and instead are receiving the ISP's home page.  Does this only happen from inside your company?  If so, are you certain you are pointing to the correct IP address?  If it happens from everywhere, your ISP has a problem.  I am also assuming you are using the same URL that people would use outside the company?  If you are having internal clients use a different URL, then your ISP may not have that URL setup on the web server and it will hand out the default web page instead of yours.  Remember that the ISP probably has a large number of sites being served from 1 IP address.  Therefore, it has to look at the URL presented to determine which pages to return.  Therefore you need to make sure you and your ISP agree on 2 things - the URL being used, and the IP address of the web server.  If you are still having problems from there, I would start pointing to the ISP.  It really shouldn't be any harder than that.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Expert Comment

by:samri
ID: 6980338
scraig84/leadsane,

In most cases the ISP would be using VirtualHosting (as commented by scraig84).  I would suspect that they might be using Apache (maybe).

This would not be directly related, but you might be intersted to find out. A simple check could do the job.  Visit Netcraft http://uptime.netcraft.com/up/graph/, enter your website URL, ie: www.companya.com, and click on examine.

If this is the case (VH), the request that your ISP is receiving must be in certain format, ie.  The http-header must conform to the website being hosted (or the ServerName directive in Apache world).  By using redirector, the http header sent(whatever the URL typed in the browser location) by your client would not be changed, and should (MUST) work.  If the Accelerator is used, the request may/may not be required to go thru some "rewriting" before being passed to the ISP website.  Since you are tight on resources (HW & $$), redirector would be a viable altenative.  Bear in mind, performance maybe a killing factor here since all request must go "direct" to your ISP.

I would still recommend the Accelerator approach, since some product could even be configured to do Caching as well.

regards.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6980365
samri - I agree, but I still haven't seen leadsane say that he is using a different URL than the one his ISP is hosting on.  I have also not seen him say that using the URL that his ISP is using is unacceptable from a client perspective.  Therefore, offering up redirectors as solutions may be a bit presumptuous.  My personal thought is that Leadsane needs to confirm what the problem is before solutions are offered.

Also, Leadsane already said his ISP uses IIS.
0
 
LVL 15

Expert Comment

by:samri
ID: 6980443
i think too many proposed solution makes the problem more complicated :)

i thinkg leadsane lay down the fact quite nicely.  There is not problem for external users.  Only internal users that use internal DNS will have problem.  It is true that when the entry www.companya.com is removed from internal DNS, the name resolution would totally failed since the server (Int DNS) is authoritative for the zone, and won't bother to forward the request (even thout it's configured to use forwarder).

What is puzzled: adding a record in the internal dns such that www.companya.com to have the IP address of ISP website should have worked.  Maybe the firewall could be configured to do NAT to allow *everybody* from 10.x network to go out.  

Gee... another option.  :D

I'll have to rest, knowing the fact that leadsane should take the time to evaluate the best options to go.

I think I will just wait !
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6980574
Considering they are still getting to a site (just the wrong one) my assumption is that some type of NAT or proxying is already being used so I doubt that this is an issue.  

From my understanding, he is getting to the "wrong" site.  All I'm saying is that before we offer up redirectors or internal web sites that redirect or anything like that, we need to figure out WHY he is getting to the wrong site.  Like I said, there is only a couple of reasons this should be happening - either the wrong URL is being used (or the ISP has configured for the wrong URL) or the wrong IP address is being used for the A record.  Which is it?  Or is there something else we are missing?  Either way, redirection should not be needed.  In fact a redirection should get you back to where you started.
0
 
LVL 15

Accepted Solution

by:
samri earned 300 total points
ID: 6980607
let's ignore the redirector for a while.

>> Just accessing the
IP directly will not get to www.companya.com website but will show the ISP's homepage instead.

THis is true in VirtualHost environment.

>> Just accessing the IP directly will not get to www.companya.com website but will show the ISP's homepage instead.

This is what puzzled me.  By right it should work since the HTTP request that goes out still carries the host header.  And the target webserver on 1.2.3.4 should know what to do with this.

Leadsane:  Do you access the internet via a Proxy server?  or do you use NAT for web browsing?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6980630
That is exactly my point.  Therefore there is a problem with either the IP address being used or there is a URL problem (either the clients inside the company are requesting the wrong one, or the ISP has an error on the site).  Since external clients can supposedly get to the site, I am assuming that the URL problem is not the issue.

One thought also - if the ISP is proxying client requests, there could be an issue with using the IP address that external clients use.  Just a thought.  

Anyway, like I said - EVERYTHING that is being done should be verified again with the ISP to ensure everything is configured correctly.
0
 

Expert Comment

by:hkaufm2
ID: 6980652
how is you're AD structered - do you have a ie root.us.companya.com - www.companya.com
         |                  |
home.us.company.com      fpt.company.com

etc..

or is your ad built around companya.com?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6981589
Small enough to reinstall AD with companya.local as your root?

Just to verify, if you run nslookup, server = 158.43.129.80, www.companya.com and put the IP address returned into a hosts file on a workstation does it resolve your website from inside and outside when you type the name in the browser? then adding a static entry into local DNS and not having an internal machine called www should work.
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6985651
ARE YOU USING A PROXY SERVER? samri and scraig84 gave you all posibility! It make me doubt if the request URL sent from internal workstation might have been altered so that the web server at you ISP would receive "http://111.222.333.444/" instead of "http://www.yourcompany.com/" which is needed in many hosting server.
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6985657
NOTE: my previous comment was in the case that you have www record point to the real IP used at your ISP for your public web server. Take this IP by resolve www.youdomain.com from a computer use only your ISP DNS.
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6985659
... I meant the www record is on your internal DNS
0
 
LVL 15

Expert Comment

by:samri
ID: 6985788
where is leadsane anyway?
0
 

Author Comment

by:leadsane
ID: 6998132
Sorry, was busy cos a server hdd crashed. I'll look thru and try the comments first b4 I give any replies. Thx!
0
 

Author Comment

by:leadsane
ID: 6998309
Hi all! It worked!

Just adding an A record for www on my internal DNS server worked! I decided to try again after andyalder mentioned using hosts file would work. Somehow, it works perfectly fine now.

Not sure what could have been the problem previously. The only change I asked the ISP to make was to update the old PTR record to point to my new server. No idea how that could have affected the results though.

Anyway, don't care much now that the problem is solved.. thanks all! :D
0
 

Author Comment

by:leadsane
ID: 6998354
After looking through the whole list of comments, I think this is what really got me to retry adding the A record for www. Still, I would have gladly gave another 300 points to scraig84 if I was able to. Thanks!
0
 
LVL 15

Expert Comment

by:samri
ID: 6998370
leadsane,

What still puzzled me is that; in the earlier part you did mentioned that you had www.companya.com defined in your DNS to point to the external IP address (your webserver at your ISP).

One verification:  The entry is exactly "www.companya.com." or "www.companya.com"  Notice the dot (.) at the end of "com".  The Q may sound ridiculous, but I do come across this scenarios.  I could not recall which one, but one does not work.  Just a thought.

good day.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now