DNS Question

We have just reconfigured our network and everything is working other than one thing.

When we try to browse some of our subdomains that live on internal servers, we get get to the new NetGear ADSL router.

Externally this works fine. But internally it's not working. I think I need a static route of some sort but am not really sure.

An example is our intranet.

intranet.company.com

Externally it works fine, internally it doesn't.

We have our own DNS server internally so intranet.company.com points to our fixed IP from our IP, ie a real IP.

So what I think is happening is when I browse it internally, it's trying to send it out and not coming back in.

Any assistance would be appreciated.
LVL 18
PluckaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nprignanoTechnical ArchitectCommented:
if intranet is hosted on your internal servers, you should have a DNS record for intranet.yourcompany.com pointing to the internal IP address of the webserver, not your public IP.  Also, make sure your DNS server is set as the primary DNS for your internal PCs, either static or through DHCP.

nprignano
0
PluckaAuthor Commented:
Yes,

But the problem is that this DNS server is also one of our real DNS servers, ie NS2

So it needs to have the real IP.
0
nprignanoTechnical ArchitectCommented:
but you said this was an internal DNS.  the internal DNS should be the primary DNS for all the internal PCs, with either a host (A) record pointing to the internal IP of the server hosting the intranet, or an alias (CNAME) record poitning to the server name inside your domain.  If you do not have this setup this way, your PCs will not be able to talk amongst the network based on computer name - can you reach the intranet by entering the IP into the browser?  this is a clear validation of my statement.


nprignano
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

PluckaAuthor Commented:
It is internal to our office, and serves for both internal and real domains.
0
CoccoBillCommented:
Is your internal naming scheme the same as your external namespace, that is, is your internal DNS zone also company.com? If so, you've just run into one of the reasons why its generally not a good idea, you will get problems when trying to distinguish between internal and external names. In that case you can either use a quick fix and create a separate CNAME as nprignano suggests, such as intra.company.com, and point that to the intranet server's internal IP. The proper way to fix this and to avoid other problems in the future is, unfortunately, to change your internal DNS naming to something resembling FQDN such as company.local, which would most likely require a complete domain restructure/reinstallation.
0
NopiusCommented:
Use internal IP of your DNS server as primary DNS.
0
The--CaptainCommented:
The problem is that the when you internal clients send outbound packets to the webserver's external IP, the firewall is translating the destination address (the public IP of your webserver) to the private IP of your webserver, and then your webserver tries to respond directly to the local client using it's internal address (because the packet has a source IP within the internal subnet), but the internal client is expecting packets from the webserver's external IP address, and ignores the packets from the webserver's internal address.  You can fix this using DNS hacks (split-dns being most common), or by just creating a different internal subnet for the webserver (if the firewall will let you do that), or by getting a decent firewall that lets you translate individual source addresses (SNAT) as well as destination addresses (DNAT).

Cheers,
-Jon

0
CoccoBillCommented:
Going through the other thread, here's more specific instructions:

Create a Host (A) record in your internal DNS forward lookup zone (company.com?) with a different name than the external name of your intranet, such as "intra" instead of "intranet". Point this A record to the internal IP address of the intranet server. Instruct the users to use intra.company.com to access the intranet internally and intranet.company.com when connecting remotely.
0
PluckaAuthor Commented:
That won't work,

There are lots of internal stuff not just the intranet that this is a problem for.

I think there is probably a simple solution. At the moment, I think this might be having two internal DNS servers.

I'll see if any more great ideas arrise.
0
CoccoBillCommented:
Again, is your internal naming scheme the same as your external namespace? That is, is your AD's DNS name company.com and your external website/domain also company.com? If that's the case the only way to avoid conflicts and manual administration of DNS records is to change one or the other. The proper way is to change the internal naming to something that does not and will not conflict with the public namespace, such as company.local. This, however, is typically a monumental task and might require a complete domain restructure. I'm afraid there's no easy way out.

Here's some additional reading:
http://support.microsoft.com/?id=254680
http://technet2.microsoft.com/WindowsServer/en/Library/7f6df44c-06c3-4b92-ba32-63d895a7924b1033.mspx
http://www.petri.co.il/w2k_domain_rename.htm
http://www.petri.co.il/windows_2003_domain_rename.htm
http://technet2.microsoft.com/WindowsServer/en/Library/4d0c3b6e-e6f5-4ab3-9d81-106ae3a715491033.mspx
http://www.msexchange.org/tutorials/Domain-Rename.html
0
BLipmanCommented:
Um, you really should have separate internal and external DNS servers.  Set your internal DNS servers to the internal addresses and foreward to your external ones.  You are fighting how DNS is designed to run.  
0
The--CaptainCommented:
Over 24 hours have passed since my initial objection, and Plucka has apparently chosen to ignore my request.

As such, I am closing this question and referring all responders to this question to join the thread at:

http://www.experts-exchange.com/Networking/Q_21824447.html

Cheers,
-Jon
EE Networking PE
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PluckaAuthor Commented:
Well done, you should be proud.

You are well aware  I did respond in the other question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.