Building a new web/mail DNS questions...

Hello experts!@

Hey, it's been a while since I've done this, so I'm just trying to get my facts straight...

Okay, so I have a Dell Poweredge server that I'm going to be turning into a web server and email server for approximately 10 domains. So my understanding is that I need to have 3 services in place:

1. DNS Server
2. HTTP Server
3. SMTP/POP3 Server

So, I'm going to use windows DNS, IIS6, and a free package recommended called mail enable (for SMTP/POP).

In setting up dns, I made a "zone" for each domain ie:

and so forth...

Using IIS6 "host headers" feature, and with the server pointed to use itself for DNS all this works fine. The problem arises when I try to access these sites from elsewhere on the net, or if I use nslookup.

I'm thinking that I'm missing something about the DNS config...not on the server itself, but somewhere else. I should know this, but I've haven't done MIS stuff like this in a while.

So, here's the question, installing Windows2003 DNS services on a machine with a public IP address isn't enough to make it a "true DNS server" is it? Doesn't something else have to be done? like with my isp or something?

Most of "the sites" are registered with Network Solutions or, and really what I want to do is simply say on those sites that "" is the nameserver...then I can have it so all I have to do is tweak the DNS configuration on that server.

Anyway, I hope that makes sense...I can easily give more information about this if needed.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Juan OcasioApplication DeveloperCommented:
One of the things you have to do is set up forwarders to your ISPs DNS server.  If you don't do this, you won't be able to resolve host names.  Also, I know for exchange servers you have to set up MX records for email (I'm not sure if its the same as with pop email).  This is how people will be able to resolve your email server from the outside.


Erik BjersPrincipal Systems AdministratorCommented:
You also need a MX record for POP mail.  Also you need to register your domain (goto,, or any other domain registration sitem) and set the name servers for your domain to your server's public IP (you should have 2, 1 main, 1 backup).  Once you have this set up you need to make sure your DC has forwarders to the ISP domain, pointers to your servers for reverse lookup, MX record for your mail, and HOST records for your web server.

I also recomend a strong firewall (like the Symantec SGS 5600 series) between your server and the internet.

Erik Bjers
VPN Network Engineer
If you want your 2003 server to act as a "real" DNS server, you need to register it as an authoritative DNS server.  Generally, this is done by the Registrar.  In our case, when we wanted our 2003 server to be a "real" DNS server, we told that we wanted to register 204.XXX.XXX.XXX as authoritative for our domain.  That way was actually the server that showed up in our whois record and nslookup (or dig).  The Network Solutions  techs should know exactly what you mean when you tell them that you want to make your DNS server authoritative for your domain.  

Caveat:  You need a STATIC external IP address, and you need to open your firewall to allow inbound traffic on tcp port 53 to be forwarded to your 2003 server, which needs to be configured to listen and respond to DNS queries for your domain.  If you have a dynamic IP you CANNOT do this.  

Setting up 2003 to actually respond to external queries is beyond the scope of this question.  It is not really difficult, but it is difficult to explain.  I have done it several times, and prefer setting up BIND (*nix) to MS DNS.  2003 (to its credit) allows you to edit zone files directly instead of kludging around the lame GUI, but old *nix guys like me prefer the command prompt anyways :)

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Erik BjersPrincipal Systems AdministratorCommented:
Caveat: the advice given by wefixpc4u is excelent.  

However instead of allowing port 53 thrugh your firewall, allow the firewall (as the external facing device) to act as the authorative name server for your domain.  I know this is possible in the Symantec Enterprise Firewall and SGS appliances, and am sure it is available in firewalls from other leading vendors.  This way you can avoid posible contamination of your domain.

The setup of these devices is beyond the scope of the question, but if you have decide to use a Symantec firewall and need help configuring feel free to email me as this is the product I use to secure my network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.