dns private/public answers

Posted on 2006-07-17
Last Modified: 2010-03-18
we have a linux dns server and two win2003 servers, one which is a web server.
all three machines are behind a cisco router which connects us to the internet via
a dsl link.  we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private lan segment.  our domain is for example and is registered to our private ip.  via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers addresses.

we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as
if i assign the dns to have for our subdomain web server, it gets resolved to just
that which is of-course non-workable.  thanks for any suggestions.
Question by:mutter223
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 40

Expert Comment

ID: 17125590
depending on the dns server you are using...

(isc-bind f.e.)
support views, where you can supply different answers depending on where the query
came from. (You can have one DNS then, suplying different answers).

The other answer is to have two DNS servers
one that is used & referenced from the inside (the current one)
and a sceletal one (only serving the bare minimum) that will answer to
the outside.

Author Comment

ID: 17126670
the dns type is realy not revelant.  we're using linux suse server 9. but we tried switching dns to one of the win2003 server .  the point is that in either case when one goes to dns lookup outside and does a  lookup we get the internal 192. adress as an answer.
clearly not legal.  what is the solution?
LVL 40

Expert Comment

ID: 17126791
You need to setup one dns for internal use say the windows system with the internal addresses (192.x.y.z)

You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS

the suse system has
the win2k3 system has
the webserver has

All your internal system have in resolv.conf/dhcp setings to lookup dns queries through
In the firewall all udp/53 packets are forwarded to

If the query reaches the win2k3 system it replies
if the query reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query reaches the win2k3 system it replies
if the query reaches the suse system it answers with your OUTSIDE address your firewall responds to

IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 17129515
thanks noci for your time.  
we did have the above working fine with a single domain.  whenever the outside requested our domain they were given the outside ip.
internaly we also managed to get things working as per your example.

the problem is when we tried to add a second web server and attempted to parse
out based on subdomain.  for ex. lives on and
the new webserver is and lives at

i guess in short, how to host musltiple subdomains which internally live on different internal addresses via a single public static ip address.

i know that we're propably overlooking a simple solution, but we're out of ideas.

Author Comment

ID: 17131092
One way to fix this I suppose is to install another box right after the
dsl modem and turn it into a NAT device.  I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
LVL 40

Expert Comment

ID: 17133552
you have a very different problem...

If you have only ONE outside address you cannot split that for port 80 to two different
Just think of this : you only know to go to ipaddress x.y.z.a port 80  then as a
router how do you deside to go left to or
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).

What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.

The only problem is with https, that can only be served through one certificate per system.

Besides the https: there is no reason you can have multiple cnames to one ip address.

my IN A
posibly with reverse lookup..


Let the webserver decide base on the HTTP header (wth a host: )
what directories to serve


Author Comment

ID: 17137623
yes, iis can direct based on http headers to the appropriate directories, and it can even do a redirect.  we've already tested this scenario.  excuse for not being specific initially,
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip.   perhaps this will clear up my wording a bit:
(all examples)

single ip address:
one domain: 
signle dns server:
file/dc server:
web server #1:
web server #2:
subdomain#1:   (lives on web server#1)
subdomain#2:   (lives on web server#2)

i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.

LVL 40

Accepted Solution

noci earned 125 total points
ID: 17139797
Your problem can not be solved through DNS, basicaly you need distinguish your internal webservers through one IP address.
IP addresses (transport mechanism) has nothing whatsoever
todo with DNS (human labeling system for ip addresses)
No there is no way you can tell a remote system (through DNS)
that you want a different nat based on hostname...

IP routing works on addresses, you only have one address.
And you allready have to route about three packets BEFORE
any content like the HTTP request is even starting.
(a SYN,  SYN+ACK and an ACK packet to start a TCP link...)

This might be a solution though:
Have the server#1 on port 80
handle directly
and do a redirect to

Have your firewall setup a NAT for
port 80 to Server #1
and 81 to server #2

And this might also:
If the previous isn't a workable solution please investigate the use of reverse proxies. (all users from the outside connect to the proxy server
push all port 80 traffic to the proxy and have the proxy dispatch on request.) This is more complex then the above solution.

And this definitely will:
Try to upgrade your network link to one with 8, 16 or more addresses.

Author Comment

ID: 17139980
thanks noci.  the proxies look like a shot.  any preferences on type of proxies? meaning specific software packages that are sure to handle this?
LVL 40

Expert Comment

ID: 17140199
apache with the mod_proxy...

Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).


Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question