DNS Quandry

Kcferret
Kcferret used Ask the Experts™
on
Ok here's the setup

CISCO Router thats running NAT for our network

2 WINNT DNS Servers running SP6.a

One DNS is multihomed (internal NATted IP and external public IP) and is our external DNS. The internal IP points to the internal DNS and the external IP is pointed to itself for DNS

The internal DNS has only one IP and its NATted and points to itself for DNS

Both host\lmhost files on the servers are blank

Problem is.. We seem to have people be unable to access out internal IIS web server. But it seems geogrpahical in nature

The west coast (up to Texas) can access the Web Server no probs..the East coast cannot access and gets various different types of errors (from timeouts, page cannot be accessed..etc)

Took my test PC outside the router and did an nslookup. I  made the external DNS my nameserver and lookup my web server and it spat out the NATted IP address when it should have given me the Public IP which is an A record in my table.

Still using nslookup, I made another DNS I know (east coast) my nameserver. This DNS is an NS record in both my external and internal DNS servers

It also gave me the NATted IP address for the webserver instead of the public.

Checked the lmhost/host files on my test machine and they are blank and the DNS is pointing to the external DNS server in its network configuration.

So why am I getting NATted IP addresses and why can only some people access my Web Server??

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
I think you should separate DNS for internal usage and public DNS server. The internal DNS can have only private address, while the public DNS server have only public address. Let the users from internet see only the resource record of public internet address.

Commented:
You mentioned that the Internet address of the host is an A record in the DNS server. Is there also an A record for the private address of the host? It could be that if you have both of them, the server is handing out the two addresses in a round-robin method, so that half the queries are wrong. Also, are the internal users getting the wrong address sometimes too?

Commented:
DNS has no concept of which address is closest or best for you when you are inside the LAN, or outside on the itnernet.  As sugegsted if the server has two cards and two addresses then DNS assumes both are available to anyone who asks to resolve the address and will normally round-robin between them.

Its not a good idea to us the same DNS for internal and external use anyway but if for some reason you need or want to you could always add another A record for external users with a different name so that they get to the server from a different address.  If you are resolving www.domain.com for instance then just remove the NATted address for this record from DNS and internal users will access it using the external card address.

The best way though is to keep one DNS server for internal and one for external.  If you change to W2K or above you will need a huge amount of stuff in DNS and it /really/ isn't a good idea to give all that out to the hackers :-)


Steve
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Author

Commented:
Well, I cannot convince the IT Head to go with seperate DNSes. So we are on hold for now (ie no progress made)

I have also suggested moving the web server outside and add the appropriate records to the internal DNS but no decision on that , will keep you posted

Commented:
kcferret,

I don't think you are going to get any further with this unless you can run different DNS's as suggested before.  Don't forget to close the question :-)

"How do I know what grade to give?":
http://www.experts-exchange.com/jsp/cmtyQuestAnswer.jsp#3

Steve
A request was made to clean up this question, I will return in 7 days and intend to PAQ no refund.  Please post any recommendations here before the 7 day period.

SpideyMod
Community Support Moderator @Experts Exchange
PAQd no refund

SpideyMod
Community Support Moderator @Experts Exchange
How did you get around the problem.
I have the same issue happening with me,
I have a DC wich is also a public DNS and its
advertising its Internal IP address!
I already built a new DC and no longer need
the DNS server to act as a DC.
Should I delete the (A)Host records from the DC zone?
There are NS records as well.

Any ideas are welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial