[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

External Domain and internal DNS

Posted on 2005-04-22
11
Medium Priority
?
2,487 Views
Last Modified: 2010-05-18
hello all,

I am a DNS newbie and i have a the following configuration.

I just registered my domain "www.domain.com" and my internal domain is "domain.local", and created forward lookup zone as "domain.com"
I want to use IIS to host my own website and exchange server 2003 for email, what do i need to configure on my internal and external domains to achieve these settings ?
0
Comment
Question by:Kimozaki
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13844101
while others will disagree, i would recommend setting both your internal and external domain names to the same thing (domain.com)  that way if your users want to get to your www site at home they will simply enter www.domain.com, and if they are in the office they will simply enter the same thing (www.domain.com).  But if you dont want to go that route you will just need to set up your PUBLIC domain.com dns server to point to the servers you want open to the public (these will point to the public IPS) and then on your domain.local dns server just set up basically a "mirror" for domain.local and domain.com.  For examply you will have a record for www.domain.com that points to 1.2.3.4 and you will also have a record that points www.domain.local to 1.2.3.4 where 1.2.3.4 is the private ip address of your www server.  As you can see, setting up domain.local and domain.com is messy, that is why i advise against it.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13844128
Hi,

Both the Internal and External domains will need a www entry if you want it to answer on www.domain.com.

Generally that's just a case of making a new Host (A / Address) record called www and give it an IP Address.

If your site is hosted internally then the Internal DNS should have the internal IP. And the External DNS should have the external IP.

E.g.

Internal DNS
www IN A 192.168.1.1

External DNS
www IN A 212.212.212.1

HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13844183

hehe and just to prove Mike's point (and for the sake of mild interest)...

I disagree and prefer .local naming for private networks, from my perspective this has less potential to cause trouble than giving it a public name. Although generally the trouble only appears when someone attempts to host public and private DNS (for the same domain name) on the same machine or some other crazy setup.

It sounds like you have domain.com setup as a Forward Lookup zone on your Internal DNS (which is what I assumed before and was referring to when making the www entry) as well which is absolutely fine and would wouldn't need any www entries in the .local zone.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13844325
true,,, but with a .local setup,, he has to have TWO seperate internal DNS zones (.local and .com), with a .com setup he would only have one.  you tell me which is more efficient?
0
 
LVL 18

Expert Comment

by:John Gates, CISSP
ID: 13844517
The proper way to set up a domain (And microsoft suggested) is to use the .local  Efficiency and security can be two different things.  sharing internal and external namespaces with improperly managed records can cause routing loops and all kinds of problems...  As well as expose your entire internal namespace to the world....  Truthfully I use Unix and Bind for my AD DNS and outside DNS and use views accordingly.  Either way it is my professional opinion that a .local or .int be used for internal domains..


My 2cents

-D-
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 375 total points
ID: 13844578

Bit off topic for this question, might start a question on misc on it as it's interesting for the sake of discussion.

But...

Since your AD domain is domain.local don't worry about the pro's and con's of public and private suffixes - way beyond the scope of the question and technically speaking, neither is wrong and MS give both as valid options.

I did miss out the MX settings on my original reply though, this is the full setup:

Internal DNS
Forward Lookup Zone - domain.com (in addition to domain.local)
www (Host / A / Address) Record pointing to the Internal IP of your Web Server

External DNS
Forward Lookup Zone - domain.com
www Record pointing to the External IP of your Web Server
mail (Host / A / Address) Record pointing to the External IP of your Exchange Server

Then an MX Record, these should be something like this:

domain.com. IN MX 10 mail.domain.com.

Which means anyone wanting to send mail to your domain will try to connect to mail.domain.com on port 25.

You will of course have to ensure your Firewall lets in Ports 25 and 80.

Hope that's relatively clear.

Chris
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13845175
dimante,, routing loops have nothing to do with DNS.... also, your DNS namespace is no more exposed with a .com internal domain name than it is with a .local name. In either case you should have your router/firewall setup so nobody from the outside world can access your internal DNS server. The fact that it is .local or .com makes no difference what so ever as to how exposed your dns server is. if it is exposed it is exposed, period.

As always, either one will work and be secure if they are set up PROPERLY.  They both have their pros and cons. It is just a matter of preference.
0
 
LVL 18

Expert Comment

by:John Gates, CISSP
ID: 13845306
I did not want to start a heated debate but if DNS resolves mydomain.com to a global ip that nats into an internal LAN and the internal client sends to the global instead of the local it can definately loop, and it will if it is not set up right.  I don't need a lesson in DNS, thanks.

-D-
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13845432
dimante,, you speak the obvious,, NOTHING will work right if it is configured incorrectly. we could talk about millions of ways to set things up incorrectly here. The point is to give suggestions that will work, not that won't work.

in your scenario if the DNS was set up properly, the client should only be pointed to the internal DNS server, in which case it would never resolve any  public IPs for domain.com, since the internal dns server only has records for the private "domain.com".  Again, this assumes it is setup correctly.

in any case, misconfigured DNS will never create a routing loop. You route by IP address, not by DNS name at all.  I have yet to see a routing table that has DNS names in it.
0
 

Author Comment

by:Kimozaki
ID: 13846000
Chris-Dent
Let see if i understand this:

I need to add two host (a) records on my domain.com, one for "www" and other for "mail" and both should be pointing to my domain.local DC IP, and my MX record points to my domain.com.
Do i need to add my domain.com hosted name servers on my domain.local name server list so my internal users will be able to resolve external www.domain.com or www.domain.com/exchange ?
or is that something totally out of context ?
am sorry, but i am new to this so bare with me.

Thanks
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 375 total points
ID: 13846112
MX records are on your PUBLIC dns server, not your private DNS server.  These direct mail from outside mail servers to your mail server.  Creating MX records on your private DNS server will do nothing, since it is private and not visible ouside your LAN.

you need to create FOUR records (2 for each zone (.local and .com) on your private dns server as below

www.domain.local----points to your www server's private IP address
www.domain.com----points to your www server's private IP address
mail.domain.local-----points to your mail server's private IP address
mail.domain.com----points to your mail server's private IP address

this way users can get to your mail and/or www servers both internally and externally by typing in the same thing (mail.domain.com or www.domain.com)

that way they dont have to think,, oh, im in the office i need to go to www.domain.local to see our website, and while they are at home they dont have to think, wait, im at home, i have to go to www.domain.com to see our website.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question