Cannot resolve website hosted on private network from inside but able to resolve from the public side across NAT router

Posted on 2004-09-09
Medium Priority
Last Modified: 2013-12-19
I have looked into similar issues but found a slight variation in my problem for which there may be a different potential solution.

Scenario: (All servers running Server2003 with AD)

Private network 'my.domain.com' setup on 192.168.0.X with being the private side interface on the Netgear NAT router/firewall. The public address is configured with static IP address, (for arguments' sake). The company website is registered publically with DNS for domain 'www.help.me.com'. The website is actually hosted internally on an IIS server on with forwarding on the router to this address for external access requests.

The problem is this:  External clients are able to resolve to www.help.me.com but internal clients (logging in to my.domain.com) are not. When I enter www.help.me.com in the address bar from a client machine on the internal side it resolves to the external gateway of the NAT router, bringing up a login dialog to enter router configuration. Running a ping on www.help.me.com also resolves to the public IP address on the router. If I type in the address in the address bar it resolves to the website as it should.

I have entered the local DNS server address (hosted on PDC on as the primary DNS in DHCP so all clients know of the internal DNS server before attempting to lookup on the external DNS provided by the ISP. However, when attempting to configure a record in the local DNS i am stumped on how to configure a record pointing to 'www.help.me.com' in the primary zone of my.domain.com. The cname only works on aliases and not on domain names (i think...), A records require a netbios name etc etc. I added a record of this in the reverse lookup primary zone but also to no avail.


As a work around I have modified local hosts files to resolve locally, and it does the trick just nicely. Problem is, folks come in with their laptops, pick up an IP address for their machines from local DHCP and get on the internet (workgroup mode and not joining my.domain.com). I cant keep this regime of manually editing hosts files on such a transient population of hosts so I would prefer to fix up local DNS to provide internal users with the abililty to logon to the company website internally.

many thanks in advance...
Question by:blueenergy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 85

Accepted Solution

oBdA earned 1000 total points
ID: 12024329
There are two ways around this:
* Either access your web server internally with the internal name of the server; be that the NetBIOS (http://SomeServer/) or a FQDN name (http://www.your.domain.com/).
* Create a forward lookup zone help.me com in your DNS, then create an A record "www", and set it to If there are other external hosts in the help.me.com domain you need access, you need to enter those (with their external addresses) as well.
LVL 28

Expert Comment

ID: 12029298
As a cheap trick, I would try to put the web server internal address in the host file of the machine runnning the internal DNS. That seems to have priority if the name is also present in the DNS table.
I am using this in a slightly different cfg, ie in the hosts file of my proxy machine, so you have to check if this is true for you as well (the proxy is running a DNS cache, not a real internal DNS)

Author Comment

ID: 12037679
Thanks for that oBdA. The second suggestion of creating a forward lookup zone help.me.com works a treat with an A record with host 'www'.

The first suggestion works too, however the user community are unaware of the host Netbios name and so it could get messy trying to put this regime in place.


Thanks for the suggestion however I attempted this prior to adding the forward lookup zone as above. I attempted a ping from a client machine and it still resolved the external interface of the NAT router. I checked the IPCONFIG /ALL to see that the local (private) DNS was above the external (public) DNS and it was. I also ran NET STOP DNSCACHE just in case it was still attempting to resove the external address from a local cache table.

Any ideas why it still did not work?  Thanks

LVL 85

Expert Comment

ID: 12037812
The only excuse for the use of the hosts file is a peer to peer homenetwork (and only if there's no router provifing DNS).
While I just read this, I have the impression that your DNS settings are incorrect. I guess you're experiencing long logon times occasionally or even often? Is your ISP's DNS entered in the TCP/IP settings of your machines? Then you have to change that.
On your DC/DNS (assuming your DC is running DNS), and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS server in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
Here's more:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Author Comment

ID: 12043498
Actually, checking the settings I see that the "." zone is not there. The ISP's DNS servers were originally listed in the TCP/IP properties of the machines, but I edited the DHCP to first include the local DNS and then the remote. I will go and change that so that the DC/DNS is the only place those addresses are contained.
Performance is actually improved on the network following other changes made above.

Thanks kindly
Paul Sadler


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question