Cannot resolve website hosted on private network from inside but able to resolve from the public side across NAT router

Posted on 2004-09-09
Last Modified: 2013-12-19
I have looked into similar issues but found a slight variation in my problem for which there may be a different potential solution.

Scenario: (All servers running Server2003 with AD)

Private network '' setup on 192.168.0.X with being the private side interface on the Netgear NAT router/firewall. The public address is configured with static IP address, (for arguments' sake). The company website is registered publically with DNS for domain ''. The website is actually hosted internally on an IIS server on with forwarding on the router to this address for external access requests.

The problem is this:  External clients are able to resolve to but internal clients (logging in to are not. When I enter in the address bar from a client machine on the internal side it resolves to the external gateway of the NAT router, bringing up a login dialog to enter router configuration. Running a ping on also resolves to the public IP address on the router. If I type in the address in the address bar it resolves to the website as it should.

I have entered the local DNS server address (hosted on PDC on as the primary DNS in DHCP so all clients know of the internal DNS server before attempting to lookup on the external DNS provided by the ISP. However, when attempting to configure a record in the local DNS i am stumped on how to configure a record pointing to '' in the primary zone of The cname only works on aliases and not on domain names (i think...), A records require a netbios name etc etc. I added a record of this in the reverse lookup primary zone but also to no avail.


As a work around I have modified local hosts files to resolve locally, and it does the trick just nicely. Problem is, folks come in with their laptops, pick up an IP address for their machines from local DHCP and get on the internet (workgroup mode and not joining I cant keep this regime of manually editing hosts files on such a transient population of hosts so I would prefer to fix up local DNS to provide internal users with the abililty to logon to the company website internally.

many thanks in advance...
Question by:blueenergy
  • 2
  • 2
LVL 82

Accepted Solution

oBdA earned 250 total points
Comment Utility
There are two ways around this:
* Either access your web server internally with the internal name of the server; be that the NetBIOS (http://SomeServer/) or a FQDN name (
* Create a forward lookup zone com in your DNS, then create an A record "www", and set it to If there are other external hosts in the domain you need access, you need to enter those (with their external addresses) as well.
LVL 28

Expert Comment

Comment Utility
As a cheap trick, I would try to put the web server internal address in the host file of the machine runnning the internal DNS. That seems to have priority if the name is also present in the DNS table.
I am using this in a slightly different cfg, ie in the hosts file of my proxy machine, so you have to check if this is true for you as well (the proxy is running a DNS cache, not a real internal DNS)

Author Comment

Comment Utility
Thanks for that oBdA. The second suggestion of creating a forward lookup zone works a treat with an A record with host 'www'.

The first suggestion works too, however the user community are unaware of the host Netbios name and so it could get messy trying to put this regime in place.


Thanks for the suggestion however I attempted this prior to adding the forward lookup zone as above. I attempted a ping from a client machine and it still resolved the external interface of the NAT router. I checked the IPCONFIG /ALL to see that the local (private) DNS was above the external (public) DNS and it was. I also ran NET STOP DNSCACHE just in case it was still attempting to resove the external address from a local cache table.

Any ideas why it still did not work?  Thanks

LVL 82

Expert Comment

Comment Utility
The only excuse for the use of the hosts file is a peer to peer homenetwork (and only if there's no router provifing DNS).
While I just read this, I have the impression that your DNS settings are incorrect. I guess you're experiencing long logon times occasionally or even often? Is your ISP's DNS entered in the TCP/IP settings of your machines? Then you have to change that.
On your DC/DNS (assuming your DC is running DNS), and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS server in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
Here's more:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Author Comment

Comment Utility
Actually, checking the settings I see that the "." zone is not there. The ISP's DNS servers were originally listed in the TCP/IP properties of the machines, but I edited the DHCP to first include the local DNS and then the remote. I will go and change that so that the DC/DNS is the only place those addresses are contained.
Performance is actually improved on the network following other changes made above.

Thanks kindly
Paul Sadler


Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now