Learn how to a build a cloud-first strategyRegister Now


dns private/public answers

Posted on 2006-07-17
Medium Priority
Last Modified: 2010-03-18
we have a linux dns server and two win2003 servers, one which is a web server.
all three machines are behind a cisco router which connects us to the internet via
a dsl link.  we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private lan segment.  our domain is for example
ourdomain.com and is registered to our private ip.  via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers addresses.

we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as subdomain.ourdomain.com.
if i assign the dns to have for our subdomain web server, it gets resolved to just
that which is of-course non-workable.  thanks for any suggestions.
Question by:mutter223
  • 5
  • 5
LVL 41

Expert Comment

ID: 17125590
depending on the dns server you are using...

(isc-bind f.e.)
support views, where you can supply different answers depending on where the query
came from. (You can have one DNS then, suplying different answers).

The other answer is to have two DNS servers
one that is used & referenced from the inside (the current one)
and a sceletal one (only serving the bare minimum) that will answer to
the outside.

Author Comment

ID: 17126670
the dns type is realy not revelant.  we're using linux suse server 9. but we tried switching dns to one of the win2003 server .  the point is that in either case when one goes to dns lookup outside and does a  lookup we get the internal 192. adress as an answer.
clearly not legal.  what is the solution?
LVL 41

Expert Comment

ID: 17126791
You need to setup one dns for internal use say the windows system with the internal addresses (192.x.y.z)

You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS

the suse system has
the win2k3 system has
the webserver has

All your internal system have in resolv.conf/dhcp setings to lookup dns queries through
In the firewall all udp/53 packets are forwarded to

If the query dns.example.com reaches the win2k3 system it replies
if the query dns.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query www.example.com reaches the win2k3 system it replies
if the query www.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to

IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 17129515
thanks noci for your time.  
we did have the above working fine with a single domain.  whenever the outside requested our example.com domain they were given the outside ip.
internaly we also managed to get things working as per your example.

the problem is when we tried to add a second web server and attempted to parse
out based on subdomain.  for ex.  example.com lives on and
the new webserver is subdomain.example.com and lives at

i guess in short, how to host musltiple subdomains which internally live on different internal addresses via a single public static ip address.

i know that we're propably overlooking a simple solution, but we're out of ideas.

Author Comment

ID: 17131092
One way to fix this I suppose is to install another box right after the
dsl modem and turn it into a NAT device.  I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
LVL 41

Expert Comment

ID: 17133552
you have a very different problem...

If you have only ONE outside address you cannot split that for port 80 to two different
Just think of this : you only know to go to ipaddress x.y.z.a port 80  then as a
router how do you deside to go left to or
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).

What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.

The only problem is with https, that can only be served through one certificate per system.

Besides the https: there is no reason you can have multiple cnames to one ip address.

my adsl.link.provider.com IN A
posibly with reverse lookup..

www.example.com IN CNAME adsl.link.provider.com
subdomain.example.com IN CNAME adsl.link.provider.com

Let the webserver decide base on the HTTP header (wth a host: www.example.com )
what directories to serve


Author Comment

ID: 17137623
yes, iis can direct based on http headers to the appropriate directories, and it can even do a redirect.  we've already tested this scenario.  excuse for not being specific initially,
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip.   perhaps this will clear up my wording a bit:
(all examples)

single ip address:
one domain:           domain.com
signle dns server:
file/dc server:
web server #1:
web server #2:
subdomain#1:        sub1.domain.com   (lives on web server#1)
subdomain#2:        sub2.domain.com   (lives on web server#2)

i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.

LVL 41

Accepted Solution

noci earned 375 total points
ID: 17139797
Your problem can not be solved through DNS, basicaly you need distinguish your internal webservers through one IP address.
IP addresses (transport mechanism) has nothing whatsoever
todo with DNS (human labeling system for ip addresses)
No there is no way you can tell a remote system (through DNS)
that you want a different nat based on hostname...

IP routing works on addresses, you only have one address.
And you allready have to route about three packets BEFORE
any content like the HTTP request is even starting.
(a SYN,  SYN+ACK and an ACK packet to start a TCP link...)

This might be a solution though:
Have the server#1 on port 80
handle sub1.domain.com directly
and do a redirect to http://sub1.domain.com:81/

Have your firewall setup a NAT for
port 80 to Server #1
and 81 to server #2

And this might also:
If the previous isn't a workable solution please investigate the use of reverse proxies. (all users from the outside connect to the proxy server
push all port 80 traffic to the proxy and have the proxy dispatch on request.) This is more complex then the above solution.

And this definitely will:
Try to upgrade your network link to one with 8, 16 or more addresses.

Author Comment

ID: 17139980
thanks noci.  the proxies look like a shot.  any preferences on type of proxies? meaning specific software packages that are sure to handle this?
LVL 41

Expert Comment

ID: 17140199
apache with the mod_proxy...

Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).


Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question