mutter223
asked on
dns private/public answers
we have a linux dns server and two win2003 servers, one which is a web server.
all three machines are behind a cisco router which connects us to the internet via
a dsl link. we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private 192.168.2.0 lan segment. our domain is for example
ourdomain.com and is registered to our private ip. via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers
192.168.2.0 addresses.
we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as subdomain.ourdomain.com.
if i assign the dns to have 192.168.2.33 for our subdomain web server, it gets resolved to just
that which is of-course non-workable. thanks for any suggestions.
all three machines are behind a cisco router which connects us to the internet via
a dsl link. we do have a static ip address, however all three servers (dns, web and
file/dc server) are on a private 192.168.2.0 lan segment. our domain is for example
ourdomain.com and is registered to our private ip. via port forwarding we can publish
our web site by simply doing the port 53,80 and 25 for email to our win2003 servers
192.168.2.0 addresses.
we cannot for the life of us to figure out how to configure our dns so we can have sub-domains
such as subdomain.ourdomain.com.
if i assign the dns to have 192.168.2.33 for our subdomain web server, it gets resolved to just
that which is of-course non-workable. thanks for any suggestions.
ASKER
the dns type is realy not revelant. we're using linux suse server 9. but we tried switching dns to one of the win2003 server . the point is that in either case when one goes to dns lookup outside and does a lookup we get the internal 192. adress as an answer.
clearly not legal. what is the solution?
clearly not legal. what is the solution?
You need to setup one dns for internal use say the windows system with the internal addresses (192.x.y.z)
You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS
the suse system has 192.168.1.5
the win2k3 system has 192.168.1.20
the webserver has 192.168.1.25
All your internal system have in resolv.conf/dhcp setings to lookup dns queries through 192.168.1.20
In the firewall all udp/53 packets are forwarded to 192.168.1.5
If the query dns.example.com reaches the win2k3 system it replies 192.168.1.20
if the query dns.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query www.example.com reaches the win2k3 system it replies 192.168.1.25
if the query www.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
HIH
You need another dns setup (f.e. the Suse 9 system to answer the to the public adress, ie the firewall passes all UDP port 53 packet only to the Suse 9 system, this Suse 9 system then has the tables lets say DNS
the suse system has 192.168.1.5
the win2k3 system has 192.168.1.20
the webserver has 192.168.1.25
All your internal system have in resolv.conf/dhcp setings to lookup dns queries through 192.168.1.20
In the firewall all udp/53 packets are forwarded to 192.168.1.5
If the query dns.example.com reaches the win2k3 system it replies 192.168.1.20
if the query dns.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
If the query www.example.com reaches the win2k3 system it replies 192.168.1.25
if the query www.example.com reaches the suse system it answers with your OUTSIDE address your firewall responds to
IN the suse system DON"T use the internal addresses, but the addresses you wan't to show to the world...
HIH
ASKER
thanks noci for your time.
we did have the above working fine with a single domain. whenever the outside requested our example.com domain they were given the 45.33.45.23 outside ip.
internaly we also managed to get things working as per your example.
the problem is when we tried to add a second web server and attempted to parse
out based on subdomain. for ex. example.com lives on 192.168.1.25 and
the new webserver is subdomain.example.com and lives at 192.168.1.26.
i guess in short, how to host musltiple subdomains which internally live on different internal 192.168.1.0 addresses via a single public static ip address.
i know that we're propably overlooking a simple solution, but we're out of ideas.
thanks.
we did have the above working fine with a single domain. whenever the outside requested our example.com domain they were given the 45.33.45.23 outside ip.
internaly we also managed to get things working as per your example.
the problem is when we tried to add a second web server and attempted to parse
out based on subdomain. for ex. example.com lives on 192.168.1.25 and
the new webserver is subdomain.example.com and lives at 192.168.1.26.
i guess in short, how to host musltiple subdomains which internally live on different internal 192.168.1.0 addresses via a single public static ip address.
i know that we're propably overlooking a simple solution, but we're out of ideas.
thanks.
ASKER
One way to fix this I suppose is to install another box right after the
dsl modem and turn it into a NAT device. I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
dsl modem and turn it into a NAT device. I am resisiting this as I
am happy with our router firewall and this would in affect replace it.
Sooo, is there another way to do this>?
Nope,
you have a very different problem...
If you have only ONE outside address you cannot split that for port 80 to two different
systems...
Just think of this : you only know to go to ipaddress x.y.z.a port 80 then as a
router how do you deside to go left to 192.168.1.25 or 192.168.1.26......
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).
What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.
The only problem is with https, that can only be served through one certificate per system.
Besides the https: there is no reason you can have multiple cnames to one ip address.
like
my adsl.link.provider.com IN A 45.33.45.23
posibly with reverse lookup..
then
www.example.com IN CNAME adsl.link.provider.com
subdomain.example.com IN CNAME adsl.link.provider.com
Let the webserver decide base on the HTTP header (wth a host: www.example.com )
what directories to serve
you have a very different problem...
If you have only ONE outside address you cannot split that for port 80 to two different
systems...
Just think of this : you only know to go to ipaddress x.y.z.a port 80 then as a
router how do you deside to go left to 192.168.1.25 or 192.168.1.26......
Just the address (that's what NAT means). You have no content yet, just the intention to build a
connection (SYN packet).
What you need is ONE webserver inside and have that service virtual hosted domains.
Apache can do it for you, as can IIS.
The only problem is with https, that can only be served through one certificate per system.
Besides the https: there is no reason you can have multiple cnames to one ip address.
like
my adsl.link.provider.com IN A 45.33.45.23
posibly with reverse lookup..
then
www.example.com IN CNAME adsl.link.provider.com
subdomain.example.com IN CNAME adsl.link.provider.com
Let the webserver decide base on the HTTP header (wth a host: www.example.com )
what directories to serve
ASKER
yes, iis can direct based on http headers to the appropriate directories, and it can even do a redirect. we've already tested this scenario. excuse for not being specific initially,
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip. perhaps this will clear up my wording a bit:
(all examples)
single ip address: 45.34.22.12
one domain: domain.com
signle dns server: 192.168.1.20
file/dc server: 192.168.1.25
web server #1: 192.168.1.30
web server #2: 192.168.1.31
subdomain#1: sub1.domain.com (lives on web server#1)
subdomain#2: sub2.domain.com (lives on web server#2)
i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.
but our dillemna is with the fact that we need to have two physicaly different web servers, and the redirect from one to the other is not an option.
thus back to dns and to the original question, how do i solve a multiple subdomain via a single static ip. perhaps this will clear up my wording a bit:
(all examples)
single ip address: 45.34.22.12
one domain: domain.com
signle dns server: 192.168.1.20
file/dc server: 192.168.1.25
web server #1: 192.168.1.30
web server #2: 192.168.1.31
subdomain#1: sub1.domain.com (lives on web server#1)
subdomain#2: sub2.domain.com (lives on web server#2)
i understand that we can only redirect port 80 to one or the other, however there must
be a way in dns to point to the appropriate server based on the subdomain name.
hope this helps, and thanks again for your answer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks noci. the proxies look like a shot. any preferences on type of proxies? meaning specific software packages that are sure to handle this?
squid?
apache with the mod_proxy...
Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).
apache with the mod_proxy...
Be aware that in that case https: can be a problem, as the proxy needs to handle the ssl layer then
(certificate issues).
(isc-bind f.e.)
support views, where you can supply different answers depending on where the query
came from. (You can have one DNS then, suplying different answers).
The other answer is to have two DNS servers
one that is used & referenced from the inside (the current one)
and a sceletal one (only serving the bare minimum) that will answer to
the outside.