• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 672
  • Last Modified:

W2k3 DNS Server behind firewall Returns Private Ip Addresses ( RFC 1918 addresses)

I have setup the win2k3(standard version)  box with active directory and dns.
sceanario:
ns1.mycompany.com with ip 192.168.1.10. this box is the domain controller ,name server and also the web server hosting the websites mycompany.com and mycompany1.com
192.168.1.10 has the network address translation to the public ip 207.X.X.X thru checkpoint firewall. the rule is setup at checkpoint firewall to allow http (port80), tcp and udp 53 for name server queries
But when some one queries the name server ns1.mycompany.com , the name server returns the private ip 192.168.1.10 instead of 207.X.X.X.
we have to have ns1.mycompany.com as the primary name server for the website mycompany.com
Please suggest me the exact steps for
1.active directory and dns configuration and
2.what else needs to be done at checkpoint firewall
0
dejones44
Asked:
dejones44
  • 4
  • 4
  • 3
1 Solution
 
srikrishnakCommented:
Okie...Can you tell explain "when some one queries the name server, it returns the private ip..."
I assume you are querying from your internal network..if so thats correct..because the request is not going to firewall at all..You please check from external net to query the DNS records...if by typing the dns name if people are succefully able to reach your website then no need to worry...
0
 
dejones44Author Commented:
thnx for the reply.

I have tried from external network ( had one of my friend to try from his office network )

and also from my home computer when i do a nslookup to mycompany.com

the ns1.mycompany.com name server returns the private ip address of the webserver which is private ip 192.168.1.10 instead of 207.X.X.X.

I think the name server should always return the public ip address but not the private ip address.

0
 
magicommincCommented:
Your DNS server has no idea about that network address translation from 192.168.1.10 to the public ip 207.X.X.X since it's done thru checkpoint firewall, it simply answers DNS query, does your DNS server have a record of 207.x.x.x for mycompany.com?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
dejones44Author Commented:
thnx for the reply.

When i add 'A' record in my name server with 207.xxx.xxx.xxx ip address to point to mycompany.com ,

the active directory updates the zones with the 192.168.1.10 ip address , since the dns server is integrated in active directory.

tried creating a reverse lookup zone with 207.xxx.xxx.xxx ip address and did not succeed. I do not know , is this the way to setup the DNS Server to reply for the queries from other networks.

What is the best way to tackle this problem ?

How can the w2K3 DNS Server be configured as the local name server ( which replies for the machines from the internal network ) and External Name Server ( which replies to the queries from other networks ) and secure the same name server behind the Firewall ?

0
 
magicommincCommented:
You would need a split-dns: one DNS handles all outside queries, which means answer query with 207.xxx.xxx.xxx ip address, and another DNS answers all inside queries with 192.168.1.10 address. More details can be found here:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

there is a easy way though: have your ISP or some outsource DNS services, such as www.ultradns.com(very cheap), to serve your external DNS query; and setup your w2k DNS all your internal query only. That way you don't have to punch hole on your firewall to allow incoming DNS query from Internet and all at complications on split-dns, just allow those services you would like to provide, such as www.mycompany.com, email etc.  go through your firewall (static NAT).



0
 
dejones44Author Commented:
thanks again for the reply.

since we are going to have many more websites hosted , we would not be able to go for ISP DNS or ultradns.com and we would be acting as primary name servers for the websites hosted ( just like a ISP setup )

If that was the case , I would just had my internal dns servers configured as forwards , which forwards all the qureies from internal network to ISP DNS Servers.  At my ISP Name Servers , we just would have created the forward and reverse look up zones with the public ip addresses 207.xxx.xxx.xxx

I guess , my only way here is to create a split  split DNS server....

Lets say , if I create a DMZ Zone in my firewall with 192.168.22.0 network.

ns1.mycompanydns.com ( W2k3DNS server )>> 192.168.22.1 which would be statically natted to 207.xxx.xxx.xxx in checkpont firewall

ns2.mycompanydns.com ( W2k3DNS server )>> 192.168.22.2 which would be statically natted to 207.xxx.xxx.xxx in checkpont firewall  

(I am not sure , is there any specific setting in Checkpoint Firewall NG AI R55 ? if so please do let me know )

Now in ns1.mycompanydns.com & ns2.mycompanydns.com  name servers , I have to create the zones ( forward and reverse look up zones ) with the 207.xxx.xxx.xxx

CAN  207.xxx.xxx.xxx zones be created in these servers ? because the above mentioned name servers will have 192.168.22.1 & 192.168.22.2 Ip addresses , these ip addressess are statically natted to public ip addressess 207.xxx.xxx.xxx

Please  help me here with the exact steps

I would really appreciate all your time and effort to answers my questions
Thanks again
0
 
srikrishnakCommented:
Hmm..If you are going to simialte an ISP setup and want to access the servers from your internal lan i guess the best bet is Split DNS ...
0
 
srikrishnakCommented:
0
 
magicommincCommented:
Hi dejones44,
>I guess , my only way here is to create a split  split DNS server....
--Correct, you need second DNS server. this is quote from that article in my early post: "You must have two DNS servers in order for the split DNS infrastructure to work. You can't create the same zone twice on the same DNS server. The internal zone and the external zones must be located on different DNS servers. You can't do this with a single DNS Server!"
>CAN  207.xxx.xxx.xxx zones be created in these servers ? because the above mentioned name servers will have 192.168.22.1 & 192.168.22.2 Ip addresses , these ip addressess are statically natted to public ip addressess 207.xxx.xxx.xxx
--Yes, you can create 207.x.x.x zones on this DNS server,remember this DNS server has nothing to do with your internal Active Directory although it has a 192.168.22.x IP address. As long as you porperly NATed them on your firewall and have all your domain's NS records point to this DNS server, it will answer all external queries. You can have as many Zones on one DNS server, you just can't have same zone file twice on same DNS server, that is whay you need internal DNS server for your internal LAN query (answer with 192.168) and external DNS server for your external Internal query (answer with 207.x.x.x).
on your firewall, you may only allow DNS query coming in to DMZ, nothing else.
>since we are going to have many more websites hosted , we would not be able to go for ISP DNS or ultradns.com and we would be acting as primary name servers for the websites hosted ( just like a ISP setup )
--are you going to have many more domains or many more records for just ONE domain, such as www.maycompany.com, ftp.mycompany.com etc? most ISP are very okay to host their customers DNS records even you have multiple domains. Of course, multiple domains on ultradns.com will cause more, however, if you consider DNS server's hw/sw cost and effort to maintain, it is still much cheaper/easier to outsource your external DNS servers unless you are going to provide DNS services to your customer.
0
 
dejones44Author Commented:
sorry for not responding earlier.
I would accept magicomminc  suggestions /solutions.
magicomminc , if you dont mind could you give me some more tips,articles on split split dns .
Yes we are planning to host multiple websites.
Thanks for all your help guys.
0
 
magicommincCommented:
No problem and glad to help out.
Split-dns is just a concept or design method that use different DNS Servers for external and internal DNS queries.
Below is a example from cisco, it explains more about the "split":
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008015f324.shtml
A secure windows design example:
http://www.windowsecurity.com/articles/Securing_Windows_2000_DNS_by_design_Part_1.html

A google search will also give you a lots results.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now