Cannot resolve website hosted on private network from inside but able to resolve from the public side across NAT router

I have looked into similar issues but found a slight variation in my problem for which there may be a different potential solution.

Scenario: (All servers running Server2003 with AD)

Private network '' setup on 192.168.0.X with being the private side interface on the Netgear NAT router/firewall. The public address is configured with static IP address, (for arguments' sake). The company website is registered publically with DNS for domain ''. The website is actually hosted internally on an IIS server on with forwarding on the router to this address for external access requests.

The problem is this:  External clients are able to resolve to but internal clients (logging in to are not. When I enter in the address bar from a client machine on the internal side it resolves to the external gateway of the NAT router, bringing up a login dialog to enter router configuration. Running a ping on also resolves to the public IP address on the router. If I type in the address in the address bar it resolves to the website as it should.

I have entered the local DNS server address (hosted on PDC on as the primary DNS in DHCP so all clients know of the internal DNS server before attempting to lookup on the external DNS provided by the ISP. However, when attempting to configure a record in the local DNS i am stumped on how to configure a record pointing to '' in the primary zone of The cname only works on aliases and not on domain names (i think...), A records require a netbios name etc etc. I added a record of this in the reverse lookup primary zone but also to no avail.


As a work around I have modified local hosts files to resolve locally, and it does the trick just nicely. Problem is, folks come in with their laptops, pick up an IP address for their machines from local DHCP and get on the internet (workgroup mode and not joining I cant keep this regime of manually editing hosts files on such a transient population of hosts so I would prefer to fix up local DNS to provide internal users with the abililty to logon to the company website internally.

many thanks in advance...
Who is Participating?
oBdAConnect With a Mentor Commented:
There are two ways around this:
* Either access your web server internally with the internal name of the server; be that the NetBIOS (http://SomeServer/) or a FQDN name (
* Create a forward lookup zone com in your DNS, then create an A record "www", and set it to If there are other external hosts in the domain you need access, you need to enter those (with their external addresses) as well.
As a cheap trick, I would try to put the web server internal address in the host file of the machine runnning the internal DNS. That seems to have priority if the name is also present in the DNS table.
I am using this in a slightly different cfg, ie in the hosts file of my proxy machine, so you have to check if this is true for you as well (the proxy is running a DNS cache, not a real internal DNS)
blueenergyAuthor Commented:
Thanks for that oBdA. The second suggestion of creating a forward lookup zone works a treat with an A record with host 'www'.

The first suggestion works too, however the user community are unaware of the host Netbios name and so it could get messy trying to put this regime in place.


Thanks for the suggestion however I attempted this prior to adding the forward lookup zone as above. I attempted a ping from a client machine and it still resolved the external interface of the NAT router. I checked the IPCONFIG /ALL to see that the local (private) DNS was above the external (public) DNS and it was. I also ran NET STOP DNSCACHE just in case it was still attempting to resove the external address from a local cache table.

Any ideas why it still did not work?  Thanks

The only excuse for the use of the hosts file is a peer to peer homenetwork (and only if there's no router provifing DNS).
While I just read this, I have the impression that your DNS settings are incorrect. I guess you're experiencing long logon times occasionally or even often? Is your ISP's DNS entered in the TCP/IP settings of your machines? Then you have to change that.
On your DC/DNS (assuming your DC is running DNS), and on all of your domain members, make sure the DC's address *only* is listed in the TCP/IP properties (be that via DHCP or static). That makes sure your internal lookups work correctly.
For internet access, delete the root zone (if present; it's the single dot: ".") on your DNS server in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
Here's more:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003

HOW TO: Configure DNS for Internet Access in Windows Server 2003

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
blueenergyAuthor Commented:
Actually, checking the settings I see that the "." zone is not there. The ISP's DNS servers were originally listed in the TCP/IP properties of the machines, but I edited the DHCP to first include the local DNS and then the remote. I will go and change that so that the DC/DNS is the only place those addresses are contained.
Performance is actually improved on the network following other changes made above.

Thanks kindly
Paul Sadler

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.