Solved

Cannot resolve website hosted on private network from inside but able to resolve from the public side across NAT router

Posted on 2004-09-09
5
602 Views
Last Modified: 2013-12-19
I have looked into similar issues but found a slight variation in my problem for which there may be a different potential solution.

Scenario: (All servers running Server2003 with AD)

Private network 'my.domain.com' setup on 192.168.0.X with 192.168.0.1 being the private side interface on the Netgear NAT router/firewall. The public address is configured with static IP address, 202.117.78.20 (for arguments' sake). The company website is registered publically with DNS for domain 'www.help.me.com'. The website is actually hosted internally on an IIS server on 192.168.0.2. with forwarding on the router to this address for external access requests.

The problem is this:  External clients are able to resolve to www.help.me.com but internal clients (logging in to my.domain.com) are not. When I enter www.help.me.com in the address bar from a client machine on the internal side it resolves to the external gateway of the NAT router, bringing up a login dialog to enter router configuration. Running a ping on www.help.me.com also resolves to the public IP address on the router. If I type in the 192.168.0.2 address in the address bar it resolves to the website as it should.

I have entered the local DNS server address (hosted on PDC on 192.168.0.3) as the primary DNS in DHCP so all clients know of the internal DNS server before attempting to lookup on the external DNS provided by the ISP. However, when attempting to configure a record in the local DNS i am stumped on how to configure a record pointing to 'www.help.me.com' in the primary zone of my.domain.com. The cname only works on aliases and not on domain names (i think...), A records require a netbios name etc etc. I added a record of this in the reverse lookup primary zone but also to no avail.

QUESTION: HOW DO I ENTER A RECORD FOR 'WWW.HELP.ME.COM' DOMAIN NAME IN THE LOCAL DNS SERVER FOR CLIENTS ON MY.DOMAIN.COM (along with a number of laptops that pickup 192.168.0.x addresses from the local DHCP server) TO RESOLVE BEFORE GOING OUT TO EXTERNAL DNS FOR LOOKUP?

As a work around I have modified local hosts files to resolve locally, and it does the trick just nicely. Problem is, folks come in with their laptops, pick up an IP address for their machines from local DHCP and get on the internet (workgroup mode and not joining my.domain.com). I cant keep this regime of manually editing hosts files on such a transient population of hosts so I would prefer to fix up local DNS to provide internal users with the abililty to logon to the company website internally.

many thanks in advance...
0
Comment
Question by:blueenergy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 250 total points
ID: 12024329
There are two ways around this:
* Either access your web server internally with the internal name of the server; be that the NetBIOS (http://SomeServer/) or a FQDN name (http://www.your.domain.com/).
* Create a forward lookup zone help.me com in your DNS, then create an A record "www", and set it to 192.168.0.2. If there are other external hosts in the help.me.com domain you need access, you need to enter those (with their external addresses) as well.
0
 
LVL 28

Expert Comment

by:lesouef
ID: 12029298
As a cheap trick, I would try to put the web server internal address in the host file of the machine runnning the internal DNS. That seems to have priority if the name is also present in the DNS table.
I am using this in a slightly different cfg, ie in the hosts file of my proxy machine, so you have to check if this is true for you as well (the proxy is running a DNS cache, not a real internal DNS)
0
 

Author Comment

by:blueenergy
ID: 12037679
Thanks for that oBdA. The second suggestion of creating a forward lookup zone help.me.com works a treat with an A record with host 'www'.

The first suggestion works too, however the user community are unaware of the host Netbios name and so it could get messy trying to put this regime in place.

Iesouef...

Thanks for the suggestion however I attempted this prior to adding the forward lookup zone as above. I attempted a ping from a client machine and it still resolved the external interface of the NAT router. I checked the IPCONFIG /ALL to see that the local (private) DNS was above the external (public) DNS and it was. I also ran NET STOP DNSCACHE just in case it was still attempting to resove the external address from a local cache table.

Any ideas why it still did not work?  Thanks

0
 
LVL 85

Expert Comment

by:oBdA
ID: 12037812
The only excuse for the use of the hosts file is a peer to peer homenetwork (and only if there's no router provifing DNS).
While I just read this, I have the impression that your DNS settings are incorrect. I guess you're experiencing long logon times occasionally or even often? Is your ISP's DNS entered in the TCP/IP settings of your machines? Then you have to change that.
On your DC/DNS (assuming your DC is running DNS), and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS server in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
Here's more:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567
0
 

Author Comment

by:blueenergy
ID: 12043498
Actually, checking the settings I see that the "." zone is not there. The ISP's DNS servers were originally listed in the TCP/IP properties of the machines, but I edited the DHCP to first include the local DNS and then the remote. I will go and change that so that the DC/DNS is the only place those addresses are contained.
Performance is actually improved on the network following other changes made above.

Thanks kindly
Paul Sadler

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
An article on effective troubleshooting
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question