Solved

Basic DNS Question?

Posted on 2004-11-01
238 Views
Last Modified: 2010-03-18
I have setup a network which has about 40 Windows 2000 workstations served by SLOX (SuSE Linux Open Exchange) and SLES 9 (SuSE Linux Enterprise Server).

The SLOX server is a domain controller, email server and web server (mail.thecompany.com - for the SLOX web based interface).  I would like for the SLES server to serve the company website (www.thecompany.com).

All of the abovementioned machines are behind the same firewall and on the same switch.

How can I run two websites (or webservers for that matter) if they're behind the same firewall?  The ISP provides us with five Internet IP addresses.  We are currently handling DNS through dyndns.

Also, our domain name is not recognized on the intranet...  In other words, "mail.thecompany.com" doesn't resolve to either the intranet IP address or the Internet IP address.  If we want to go to "mail.thecompany.com" from the Intranet, we have to type the IP address.

If it's any help, the domain name is "thecompany.com" and the mail server machine name is "mail" and the web server machine name is "www".


Thank you in advance!
0
Question by:etherbreeze
    15 Comments
     
    LVL 36

    Expert Comment

    by:grblades
    Hi etherbreeze,
    On your firewall you should be able to redirect port 80 coming into one of your public IP addresses to the IP address of your first webserver. You then do the same for another public IP address and redirect it to your other webserver.

    Do you have fixed IP addresses?
    If you do then why are you using dyndns?

    You can use multiple dynamic IP addresses for the webservers and mail however you really want a static IP address for mail to avoid problems with anti-spam measures blocking your email.
    0
     
    LVL 36

    Expert Comment

    by:grblades
    With regard to your domain name if you have fixed IP addresses then you simply ask your ISP or whoever manages your domain name to add the entries required.

    If you are using multiple dynamic IP addresses then you can add CNAME records to point to your dyndns names.
    0
     

    Author Comment

    by:etherbreeze
    I have directed port 80 requests to the Intranet IP (10.0.10.20 - which is static) for the mail.thecompany.com server - But, how would I do that for the other web server?

    I guess I'm confussed.  I think I may be understanding something wrong.

    I have the domain thecompany.com setup with dyndns.
    thecompany.com has the IP address of my firewall associated with it.
    The firewall (SOHO Watchguard) only has one port 80 forwarding option, which is set to the local IP for the web-based mail server (10.0.10.20)

    If there is a way to tell the firewall to forward port 80 requests to two different machines, how would it know which web server to forward the request to?  thecompany.com is one IP address.  Should I have seperate IP addresses associated with MAIL.thecompany.com and WWW.thecompany.com?
    0
     
    LVL 36

    Expert Comment

    by:grblades
    As you have multiple public IP addresses the firewall should have an option to redirect traffic to IP1 port 80 to one of your servers and redirect traffic to IP2 port 80 to the other server.
    If you don't have this option you might need a better firewall but the Watchguard is a very good firewall so should have the option to do this.

    You will need to have www.thecompany.com pointing to the IP address you are redirecting to your main company webserver. Then add www2.thecompany.com or whatever you want to call it and point it to the other IP address.

    I would recomend that you use a completely separate IP address for email.
    0
     

    Author Comment

    by:etherbreeze
    This is what I gather so far:

    I should have Time Warner handle DNS for us rather than dyndns (I have to make sure they offer a mail exchange service in case our mail server should ever go down)

    In addition to the thecompany.com public IP address, I should use one of our public IP addresses for www.thecompany.com and another public IP address for mail.thecompany.com.

    If I give the mail and www servers their own public IP addresses, but the firewall has a different public IP address, the requests to mail.thecompany.com and www.thecompany.com won't even go through the firewall, correct?

    Do these machines need to be in a DMZ for your suggestions to work?

    (If I'm not getting this because I didn't attend Networking 101, I appologize :o)
    0
     
    LVL 36

    Expert Comment

    by:grblades
    You are correct apart from the fact that the additional IP addresses will go through the firewall. It will just listen of the additional IP addresses on the outside (effectivly it has 3 or 4 addresses).

    From a security perspective I would host any servers which are publically available in the DMZ. The reason for this is that the firewall protects them. Even if they are hacked (due to an IIS vulnerability) for example) the firewall still stops that machine from being able to access the rest of your network.
    0
     

    Author Comment

    by:etherbreeze
    I'm really sorry grblades - I swear I usually catch on much quicker ~

    Effectively it has three or four:  Are you saying, I can give a machine on a private network a public IP address?  And by simply doing so, the firewall appears to have three public IP addresses tied to it?

    If I give the servers public IP addresses, can I still use the servers for Intranet functions such as file serving or domain control?

    Do I even need a DMZ for what I'm doing?  If so, it probably wouldn't be a good idea to use it for file serving, right?

    (I really appreciate your help - I think the smoke is starting to clear)
    0
     
    LVL 36

    Accepted Solution

    by:
    You give all the servers IP addresses on the internal network. Then on the firewall you say translate everything coming into 200.200.200.200 for example to your internal machine on 192.168.1.1.
    The firewall then listens on 200.200.200.200 in addition to its configured external IP address and any traffic to it will have it's destination IP address changed to 192.168.1.1 and be placed on the internal network. This feature is called NAT (Network Address Translation).

    You don't have to use DMZ and initially it would probably be best to get it wirking without a DMZ.
    Without a DMZ though you will have to keep all the webservers and mail server regularly updated with regard to security updates. If you dont then it could get hacked and if it does they will have access to your entire internal network.

    The only machines which could possibly get hacked are the ones which accept connections from the Internet which are your webservers and the mail server. If you were to put these in the DMZ then the firewall will protect the servers from the internet and also protect your internal network from the servers in the DMZ.
    0
     

    Author Comment

    by:etherbreeze
    You've been a wonderful help, grblades -

    You don't have to answer this, you were already great help with the concern I came here with.

    Would it be possible for me to put the SLOX server in the DMZ and make it a webserver for both websites in addition to being a mail server?  Would I be able to associate two public IP addresses with the single machine in the DMZ?  This way, I'd be able to leave the other server on the internal network to serve as a file server.  I would simply give the server on the internal network a private IP, and kill any services running on it...  Would it be practical to have SLOX in a DMZ, if it's my domain controller?

    Thanks again for your help!
    0
     
    LVL 36

    Expert Comment

    by:grblades
    Yes you could put SLOX in the DMZ and in fact that is what I have done in the company I work for.
    With regard to hosting both websites you have two choices:-
    1) Reconfigure Apache and enable virtual hosting. This is where Apache looks at the URL request and returns the pages depending what site you are requesting. The disadvantage with this approach is that only one website can have a secure section.
    2) Add an additional IP address to the servers network card and configure Apache to serve the second website for all requests to this IP address.

    By domain controller do you mean your Samba windows file sharing domain controller?
    If you do then this is not recomended as it is best to separate out the email system from your central file server for security reasons. It can be done though.
    0
     

    Author Comment

    by:etherbreeze
    Yes.  I have Samba setup on my SLOX machine, not only for file sharing, but I'm also using LDAP to manage the users, machine trust accounts and service accounts (integrated authentication) for some Mono apps (more of my line of work)...

    It seems to me that if I want to go with SLOX in the DMZ, and keep the file server private to the network, I should remove Samba from SLOX, install SAMBA on the private server, and just point Samba to the SLOX ldap directory....

    Do you see any problem having a LDAP directory in a DMZ?  Does your SLOX server have LDAP running on it?

    If I put the SLOX machine in the DMZ, there's probably a thing or two I should learn about securing sensitive data such as email....
    0
     
    LVL 36

    Expert Comment

    by:grblades
    Moving Samba onto the local network server and using LDAP off the SLOX machine is a good approach.
    Our SLOX server has LDAP but it is only used for normal email. We have a separate Fedora server as our file server.

    On SLOX I recomend that you do the following:-
    1) In the postfix configuration enable the local recipient maps so that mail to unknown users is rejected instead of being accepted and then bounce messages sent out. Most will be caused by span so if you dont make this change you will have lots of undeliverable email stuck in your mail queue.
    2) Use spamassassin and remove the -L parameter from the configuration file in the /etc/sysconfig directory. Doing this turns on DNS lookups and greatly impoves the effectivness of the spam filter.
    3) Install the free amavisd-new and clamav from source and you now have a completely free email virus scanner.
    0
     

    Author Comment

    by:etherbreeze
    grblades, you're awesome!  You've shed so much light on what I'm doing!

    Linux hasn't exactly been harnessed where I come from...  I don't know anyone that knows anything about SLOX, or Linux for that matter.

    (I hate asking this) Is there a possibility I could direct future SLOX questions your way?  I don't have much to offer other than web development / programming knowledge, but I would be more than willing to help in exchange for your expertise.

    You have no idea how much time you've saved me!  Thanks a million!

    p.s. any idea how to get the slox demo spell check feature? :o)~
    0
     
    LVL 36

    Expert Comment

    by:grblades
    Sure. If I don't spot your question you can send me the URL to it via email (my address is in my profile).

    Sorry no idea about the spell check feature. I normally use email clients and only use the web interface occasionally.
    0
     

    Author Comment

    by:etherbreeze
    I thought I would leave a F.Y.I. for anybody who might be trying a similar setup with the WatchGuard SOHO 6 firewall.

    After banging my head for several hours trying grblades NAT suggestion, I discovered the WatchGuard SOHO 6 firewall doesn't support static NAT.  As far as I know, the SOHO 6 is only capable of handling one IP address for the external network.  It is possible to have one IP address in the DMZ (only one can be added) and then forward the firewalls public IP to the desired IP on the trusted network.  With this setup, either machine can be accessed from the external network just fine.

    The only problem I have with the above setup is accessing the webserver behind the firewall from the trusted network using its domain name.  I have to use the private IP address to access it.  Any time I enter its domain name, SOHO prompts me for a username and password to log me into the firewall admin panel...  Haven't figured out how to get around this one yet ~
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now