Link to home
Start Free TrialLog in
Avatar of tjobling
tjobling

asked on

Resolving DNS internally versus externally

We recently moved a MAC running File Maker Pro Server from the DMZ to the internal subnet (10.0.3.x)  The reason for this is so we could eventually validate user information entered on the MAC against Active Directory.  It is our understanding that in order for that to work, the MAC would need to be joined to the domain.  So, the first step was to move it off the DMZ to the subnet.

The firewall has a NAT rule to direct traffic to the URL office.ourdomain.com to the correct place (ourdomain = the name of our domain).  This works fine for external access.  If you enter http://office.ourdomaiin.com you get the correct page and links off that page work; entering http://office.ourdomain.com/filemaker takes you to the correct page to select a database.  However, internal access is not working.  If I enter http://office I can get the home page (and links work off that page).  Entering http://office/filemaker does not work.

We are running DNS internally on Server 2K3 R2.  We forward to the router on 10.0.3.1 whicih in turn passes things on the the appropriate DNS server.  This is working fine, except for the recent change of the MAC machine.  I'm not a DNS expert.  Our domain is a third level domain, sfo.ourdomain.com - don't know if that is the problem.  I did create a host (A) record for the MAC.

How do I get DNS to resolve this correctly?  Please let me know if you need additional information.
Avatar of scrathcyboy
scrathcyboy
Flag of United States of America image

Linking PCs or windows servers to a MAC is not just a DNS issue.  The MAC runs Samba file sharing, so you have to CONNECT to the Samba file sharing service.  From the Mac, you would go to finder and click GO, then "connect to server" and then you can browse the windows clients, which appear one by one.  Rememer, MAC uses login and password authentication, you cannot get around this, so enter the Admin login name and PW of the PC or server you are trying to connect to.

GOing the other way around, to connect from a PC or server to the MAC, you need to set the MAC up with windows -aware file sharing, there is a setting for this, and then windows will find it, and you need to have shared some folders, then the login/PW will be asked, and this is the root login for the MAC admin account.

Once you get used to it, it is fairly easy, but the PC-MAC connects generally do not endure on the MAC, it is designed to kill them on shut down, and you have to reconnect to server when you boot the MAC again.  This is the way it is, there are some PC-MAC file sharing drivers too, but they dont change the basic behaviour.
Avatar of tjobling
tjobling

ASKER

The MAC is not running as a file server; it is a Web server (running Apache), as well as a FileMaker server for FileMaker clients, both MAC and Windows.  

DNS is not resolving "office.ourdomain.com" internally to the correct address.
In a primarily windows environment, you dont want the MAC running as a webserver.  YOu will get exactly the problem you are experiencing.  This will be fixed in later versions of MAC OS on Intel, but for right now, it should be a client on the network, neither file server or web server.  That is just the way it is, sorry, MAC is not a webserver, you run Linux or windows IIS for this, not the MAC.

"We are running DNS internally on Server 2K3 R2"
Well that precludes the MAC from being part of the "dedicated" domain of the 2003 server.  Let me state again, the MAC DOES NOT - NOT - NOT run windows file sharing or its protocols.  It runs SAMBA file sharing, and this will not integrate into the windows DNS assignements that you have.  Is this sentence clear to you?

If you ran DNS from the master router, that might be a different sceanario, but NOT windows DNS on windows networks, the MAC does not natively speak that language, so NO, if windows is delivering the DNS, the MAC does not hear it.  It is not natively windows aware.
Thank you for the additional information.  I am still not clearly understanding your explanation.  The MAC OS is a variant of Unix.  It has a plug-in included with the OS that allows it to join a Windows domain.  There are articles on experts-exchange and other sites detailing how to do this.  I understand that the MAC does not run Windows protocols, etc.  I don't understand your statement that it should not be a webserver or a fileserver.  Apache runs on the MAC, so it functions as a webserver - I am not understanding your assertion that the MAC is not a webserver.

I also don't understand why I can't open a browser and get to the page the same way I did before, other than a problem with DNS.  When it was in the DMZ, on a public IP address, it worked fine.  I put it on an internal address in the subnet, created a NAT record to allow outside traffic to get to it, and that works fine.  But internally it does not resolve the name.  We are using "split-brain" DNS.  If something does not resolve internally, then it is passed off to router, which I presume passes it on to another DNS server for resolution.  I did not build the router.  It is a Linux box running IP tables (I think).

If the MAC does not "hear" DNS from windows, then what is it using to resolve addresses?  I can open Safari on the MAC and browse the Internet, so it is at least passing through DNS to get outside.

Thanks for your patience.
If you do a nslookup/dig from your internal network on office.ourdomain.com, what do you get? Do you get the WAN or LAN IP?
How about nslookup on "office"?

Does http://IP_ADDRESS_OF_MAC and http://IP_ADDRESS_OF_MAC/filemaker work from the internal network?
Avatar of Rick Hobbs
More than likely the reason http://office and http://office/filemaker don't work is because to resolve the address extenally, it was added to the external dns.  Because a MAC does not do NETBIOS or WINS, you need to add them to your internal DNS. Run the DNS manager on your internal DNS system, locate the area that lists your internal PCs and right-click, select New Host, add the MAC PC office with the proper IP address (A) and pointer (PTR) and you should be in business.
Thanks for the suggestions.  Here are the results:

nslookup office - internal address (10.0.3.38)

nslookup office.teachscape.com - external address

http://10.0.3.38 - loads page correctly

http://10.0.3.38/filemaker - does not work

I added a PTR record for 'office' in the 3.0.10.in-addr.arpa reverse lookup zone.  The data portion of the record is office.sfo.teachscape.com.  I believe this is due to the fact that the domain was set up as sfo.teachscape.com.  So how do you get DNS to handle this?  When you create the PTR record it drops in the "sfo.teachscape.com" portion of the record.  I assume this is because it is working within its own domain.  I want to be able to enter the same URL internally and externally and get to the same page.

Thanks.
An additional thought - could I create a second domain internally as 'ourdomain.com' and have it resolve just the one address internally and then forward the rest?
ASKER CERTIFIED SOLUTION
Avatar of The--Captain
The--Captain
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Well, at this point we have moved the server back to the DMZ as it was before, and things are working fine again.  Thanks to everyone for their suggestions even if we didn't get to a solution.
>we didn't get to a solution

But we *did* get to a solution - the solution was to adjust your apache config.  Apache can respond completely differently to two URLs that appear to point to the same thing.

Cheers,
-Jon
I object - I don't need pts, but this should be noted as an apache problem in the PAQ.

Cheers,
-Jon
I will accept The Captain's answer, after I post this comment.  Although we did not directly implement the solution he proposed - we actually put it back in the DMZ - we did encounter problems and they were in fact caused by misconfiguration of the Apache settings.