Solved

dns private/public answers

Posted on 2006-07-17
10
325 Views
Last Modified: 2010-03-18
we have a linux dns server and two win2003 servers, one which is a web server.
all three machines are behind a cisco router which connects us to the internet via
a dsl link.  we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private 192.168.2.0 lan segment.  our domain is for example
ourdomain.com and is registered to our private ip.  via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers
192.168.2.0 addresses.

we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as subdomain.ourdomain.com.
if i assign the dns to have 192.168.2.33 for our subdomain web server, it gets resolved to just
that which is of-course non-workable.  thanks for any suggestions.
0
Comment
Question by:mutter223
  • 5
  • 5
10 Comments
 
LVL 39

Expert Comment

by:noci
Comment Utility
depending on the dns server you are using...

(isc-bind f.e.)
support views, where you can supply different answers depending on where the query
came from. (You can have one DNS then, suplying different answers).

The other answer is to have two DNS servers
one that is used & referenced from the inside (the current one)
and a sceletal one (only serving the bare minimum) that will answer to
the outside.
0
 

Author Comment

by:mutter223
Comment Utility
the dns type is realy not revelant.  we're using linux suse server 9. but we tried switching dns to one of the win2003 server .  the point is that in either case when one goes to dns lookup outside and does a  lookup we get the internal 192. adress as an answer.
clearly not legal.  what is the solution?
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
You need to setup one dns for internal use say the windows system with the internal addresses (192.x.y.z)

You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS

the suse system has 192.168.1.5
the win2k3 system has 192.168.1.20
the webserver has 192.168.1.25

All your internal system have in resolv.conf/dhcp setings to lookup dns queries through 192.168.1.20
In the firewall all udp/53 packets are forwarded to 192.168.1.5

If the query dns.example.com reaches the win2k3 system it replies 192.168.1.20
if the query dns.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query www.example.com reaches the win2k3 system it replies 192.168.1.25
if the query www.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to

IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
HIH
0
 

Author Comment

by:mutter223
Comment Utility
thanks noci for your time.  
we did have the above working fine with a single domain.  whenever the outside requested our example.com domain they were given the 45.33.45.23 outside ip.
internaly we also managed to get things working as per your example.

the problem is when we tried to add a second web server and attempted to parse
out based on subdomain.  for ex.  example.com lives on 192.168.1.25 and
the new webserver is subdomain.example.com and lives at 192.168.1.26.

i guess in short, how to host musltiple subdomains which internally live on different internal 192.168.1.0 addresses via a single public static ip address.

i know that we're propably overlooking a simple solution, but we're out of ideas.
thanks.
0
 

Author Comment

by:mutter223
Comment Utility
One way to fix this I suppose is to install another box right after the
dsl modem and turn it into a NAT device.  I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 39

Expert Comment

by:noci
Comment Utility
Nope,
you have a very different problem...

If you have only ONE outside address you cannot split that for port 80 to two different
systems...
Just think of this : you only know to go to ipaddress x.y.z.a port 80  then as a
router how do you deside to go left to 192.168.1.25 or 192.168.1.26......
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).


What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.

The only problem is with https, that can only be served through one certificate per system.

Besides the https: there is no reason you can have multiple cnames to one ip address.

like
my adsl.link.provider.com IN A 45.33.45.23
posibly with reverse lookup..

then
www.example.com IN CNAME adsl.link.provider.com
subdomain.example.com IN CNAME adsl.link.provider.com

Let the webserver decide base on the HTTP header (wth a host: www.example.com )
what directories to serve


0
 

Author Comment

by:mutter223
Comment Utility
yes, iis can direct based on http headers to the appropriate directories, and it can even do a redirect.  we've already tested this scenario.  excuse for not being specific initially,
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip.   perhaps this will clear up my wording a bit:
(all examples)

single ip address:   45.34.22.12
one domain:           domain.com
signle dns server:   192.168.1.20
file/dc server:         192.168.1.25
web server #1:       192.168.1.30
web server #2:       192.168.1.31
subdomain#1:        sub1.domain.com   (lives on web server#1)
subdomain#2:        sub2.domain.com   (lives on web server#2)

i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.




 
0
 
LVL 39

Accepted Solution

by:
noci earned 125 total points
Comment Utility
Your problem can not be solved through DNS, basicaly you need distinguish your internal webservers through one IP address.
IP addresses (transport mechanism) has nothing whatsoever
todo with DNS (human labeling system for ip addresses)
No there is no way you can tell a remote system (through DNS)
that you want a different nat based on hostname...

IP routing works on addresses, you only have one address.
And you allready have to route about three packets BEFORE
any content like the HTTP request is even starting.
(a SYN,  SYN+ACK and an ACK packet to start a TCP link...)

This might be a solution though:
Have the server#1 on port 80
handle sub1.domain.com directly
and do a redirect to http://sub1.domain.com:81/

Have your firewall setup a NAT for
port 80 to Server #1
and 81 to server #2

And this might also:
If the previous isn't a workable solution please investigate the use of reverse proxies. (all users from the outside connect to the proxy server
push all port 80 traffic to the proxy and have the proxy dispatch on request.) This is more complex then the above solution.

And this definitely will:
Try to upgrade your network link to one with 8, 16 or more addresses.
0
 

Author Comment

by:mutter223
Comment Utility
thanks noci.  the proxies look like a shot.  any preferences on type of proxies? meaning specific software packages that are sure to handle this?
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
squid?
apache with the mod_proxy...

Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now