dns private/public answers

we have a linux dns server and two win2003 servers, one which is a web server.
all three machines are behind a cisco router which connects us to the internet via
a dsl link.  we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private lan segment.  our domain is for example
ourdomain.com and is registered to our private ip.  via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers addresses.

we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as subdomain.ourdomain.com.
if i assign the dns to have for our subdomain web server, it gets resolved to just
that which is of-course non-workable.  thanks for any suggestions.
Who is Participating?
nociConnect With a Mentor Software EngineerCommented:
Your problem can not be solved through DNS, basicaly you need distinguish your internal webservers through one IP address.
IP addresses (transport mechanism) has nothing whatsoever
todo with DNS (human labeling system for ip addresses)
No there is no way you can tell a remote system (through DNS)
that you want a different nat based on hostname...

IP routing works on addresses, you only have one address.
And you allready have to route about three packets BEFORE
any content like the HTTP request is even starting.
(a SYN,  SYN+ACK and an ACK packet to start a TCP link...)

This might be a solution though:
Have the server#1 on port 80
handle sub1.domain.com directly
and do a redirect to http://sub1.domain.com:81/

Have your firewall setup a NAT for
port 80 to Server #1
and 81 to server #2

And this might also:
If the previous isn't a workable solution please investigate the use of reverse proxies. (all users from the outside connect to the proxy server
push all port 80 traffic to the proxy and have the proxy dispatch on request.) This is more complex then the above solution.

And this definitely will:
Try to upgrade your network link to one with 8, 16 or more addresses.
nociSoftware EngineerCommented:
depending on the dns server you are using...

(isc-bind f.e.)
support views, where you can supply different answers depending on where the query
came from. (You can have one DNS then, suplying different answers).

The other answer is to have two DNS servers
one that is used & referenced from the inside (the current one)
and a sceletal one (only serving the bare minimum) that will answer to
the outside.
mutter223Author Commented:
the dns type is realy not revelant.  we're using linux suse server 9. but we tried switching dns to one of the win2003 server .  the point is that in either case when one goes to dns lookup outside and does a  lookup we get the internal 192. adress as an answer.
clearly not legal.  what is the solution?
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

nociSoftware EngineerCommented:
You need to setup one dns for internal use say the windows system with the internal addresses (192.x.y.z)

You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS

the suse system has
the win2k3 system has
the webserver has

All your internal system have in resolv.conf/dhcp setings to lookup dns queries through
In the firewall all udp/53 packets are forwarded to

If the query dns.example.com reaches the win2k3 system it replies
if the query dns.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query www.example.com reaches the win2k3 system it replies
if the query www.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to

IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
mutter223Author Commented:
thanks noci for your time.  
we did have the above working fine with a single domain.  whenever the outside requested our example.com domain they were given the outside ip.
internaly we also managed to get things working as per your example.

the problem is when we tried to add a second web server and attempted to parse
out based on subdomain.  for ex.  example.com lives on and
the new webserver is subdomain.example.com and lives at

i guess in short, how to host musltiple subdomains which internally live on different internal addresses via a single public static ip address.

i know that we're propably overlooking a simple solution, but we're out of ideas.
mutter223Author Commented:
One way to fix this I suppose is to install another box right after the
dsl modem and turn it into a NAT device.  I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
nociSoftware EngineerCommented:
you have a very different problem...

If you have only ONE outside address you cannot split that for port 80 to two different
Just think of this : you only know to go to ipaddress x.y.z.a port 80  then as a
router how do you deside to go left to or
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).

What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.

The only problem is with https, that can only be served through one certificate per system.

Besides the https: there is no reason you can have multiple cnames to one ip address.

my adsl.link.provider.com IN A
posibly with reverse lookup..

www.example.com IN CNAME adsl.link.provider.com
subdomain.example.com IN CNAME adsl.link.provider.com

Let the webserver decide base on the HTTP header (wth a host: www.example.com )
what directories to serve

mutter223Author Commented:
yes, iis can direct based on http headers to the appropriate directories, and it can even do a redirect.  we've already tested this scenario.  excuse for not being specific initially,
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip.   perhaps this will clear up my wording a bit:
(all examples)

single ip address:
one domain:           domain.com
signle dns server:
file/dc server:
web server #1:
web server #2:
subdomain#1:        sub1.domain.com   (lives on web server#1)
subdomain#2:        sub2.domain.com   (lives on web server#2)

i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.

mutter223Author Commented:
thanks noci.  the proxies look like a shot.  any preferences on type of proxies? meaning specific software packages that are sure to handle this?
nociSoftware EngineerCommented:
apache with the mod_proxy...

Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).

All Courses

From novice to tech pro — start learning today.