Solved

DNS Forwarding to IIS in another Domain

Posted on 2006-11-11
8
793 Views
Last Modified: 2008-02-01
Environment: Windows 2003 Ent. Two Domains. 1 router, 1 firewall handling both domains on one RJ45 socket i.e. the second domain shares the same DMZ cable and backend switch as the first domain. (Both of these domains are set up on the DMZ)

I have DNS servers on one domain and I need to point traffice to an IIS server on the other domain. Will a normal HOST (A) record and WWW record DNS entry be sufficient? i.e. Can I put 2 host records of the IIS server in one DNS entry of a domain pointing to the IP address of the IIS server in the other domain?

I have set up a 2-way transitive trust between the domains.
0
Comment
Question by:PWyatt1
  • 4
  • 4
8 Comments
 
LVL 19

Expert Comment

by:feptias
Comment Utility
The internal DNS servers must contain Host (A) records for the servers on the LAN defining their actual computer name and internal IP address. Provided you do not have a server called www, you can create a CNAME (alias) record for www and point it to any server that has a Host (A) record. CNAME records point to FQDN's, not to IP addresses. CNAME records in one domain can point to Host records in another domain so you could have a CNAME for www.domain1.local pointing to an IIS server PC with the FQDN mywebserver.domain2.local. This would be the best solution if you are referring to local intranet web site access only.

If, however, your web sites are being accessed from the Internet then the routing to the IIS server will be determined by the external IP address on the router and the port forwarding rules set in the router. Public DNS servers will contain records that determine the IP address to be used for, say, www.domain1.com and this will need to be an address that corresponds to a static IP address on the WAN side of the router. The router rules will then determine what happens to http requests arriving on its WAN port. If you want different web sites to be hosted on different IIS servers, then the easiest solution is to have a different static IP address on the WAN port of the router for each IIS server, then use port forwarding or one-to-one NAT to direct the requests to the right server.

Hope this helps.
0
 

Author Comment

by:PWyatt1
Comment Utility
H-m-m-m-m. Sorry feptas, didn't quite understand. The router on the WAN (Cisco1720) is connected to the Internet and has the two subnets in its ARP and passes through queries to my firewall. The 2 subnets share the same DMZ port on my firewall as the firewall is set up to handle queries to both subnets. All my servers have static IP addresses and are connected to a switch that in turn is connected to the DMZ port on the firewall. The first subnet has been up and running for years.

The router and the firewall are not germaine to this question. They are set up and working. I just need a little direction on what entries to put into a zone on the second subnet (Domain 2) to talk to the first subnet (Domain 1). Example: For a DMZ zone on, say Subnet2 (Domain2.com), what are the records needed to pass queries to an IIS server called say, IISserver1 with IP addresss 67.95.76.244 on Subnet1(Domain1)? I have assumed that all I need are 2 host records:

(same as parent folder)  HOST (A)       67.95.76.244
www                            HOST (A)        67.95.76.244

The questions I have are:
1. Are these all the entries I need? if not, what do I need to add/delete/change?
2. Do I need to keep/setup up a transitive trust between the domains?

Thanks
0
 
LVL 19

Expert Comment

by:feptias
Comment Utility
I believe your question may not be valid. You appear to be asking how to configure the DNS records to make DNS do something that it cannot do. A DNS server resolves names to IP addresses. It does not forward or re-direct IP traffic. I have read that ISA server can redirect http traffic based on the host header, so maybe you should look at that.
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks Fetpas.

In my situation, the name has already been resolved by my DNS resolution to the zone in the first domain. I don't want a redirect per se (i.e. redirect from one zone to another). I just want to pass over requests from a DNS server in one domain to a webiste on an IIS server in another domain. The two host records that I posted in the prior post are what I have set up to forward to the IIS server. Both domains happen to reside on the same physical netword, but with different subnet masks.

So, netting everything out, you are saying that these two host record entries will not get me over to the IIS server on the other subnet/domain?

Thanks
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 19

Expert Comment

by:feptias
Comment Utility
I am not clear what you mean at the moment. We need to get some clarity on a few basics.
1. The two domains you mentioned - are they Windows AD domains, Internet domains (i.e. used for web and e-mail addresses) or both?
2. Are the web sites hosted on your web servers accessed from workstations on the LAN, from Jo Public on the Internet or both?
3. What device handles the routing from one subnet to the other? Can you already ping servers on one subnet from PC's on the other?
4. You describe the firewall as "set up to handle queries to both subnets", so the firewall is doing some routing. What sort of rules can you configure in this firewall that would determine if an http request coming from the Internet is going to be sent to subnet 1 or subnet 2?
5. Are you using NAT and, if so, how many static IP addresses do you have on the Internet port? (This question is not relevant if the answer to 2 is that Jo Public does not access your web sites)
6. Are you trying to get some web sites hosted on an IIS server in one domain/subnet while other web sites are hosted on a different IIS server in the other domain/subnet? (The alternative possibility would be that you are moving a single IIS server from one domain to the other).
7. Are you referring to internal DNS servers that are an integral part of the Windows AD setup or to external public DNS servers that are used to resolve name requests on the Internet? If the latter, are you hosting your own public DNS servers inside the DMZ or is it based on an external hosting service such as GoDaddy.com?

An IIS server running on one PC can host web sites for a great number of different Internet domains. You could be hosting sites for www.abcfish.com, www.xyzcats.com and www.wibble.co.uk on a server that is a member of the Windows domain mycompany.com or (better) mycompany.local. The routing of web traffic to that server is done by IP address. In the case of public web sites, your router or firewall would be configured to forward all http traffic to a particular IP address - the address of the IIS server. DNS would only be used by the browser to find the public port on your router. The Windows domain or even the destination subnet are of no significance provided the router can send the traffic to the IP address of the server. In the case of internal intranet web sites the IP address of the server would be found by resolving the URL of the web site on a local (internal) DNS server. A common problem in this situation is that your Windows AD domain name is identical to the domain name you want to use for your web site - e.g. web site is www.mycompany.com and Windows AD domain name is mycompany.com. This makes it impossible to use the URL http://mycompany.com because the DNS records for that name are fixed by the requirements of AD. However, it would still be possible to add a DNS record (Host A) for www that points to the IP address of the IIS server PC thus allowing you to use http://www.mycompany.com. If the web server allows anonymous access then the fact that the web server is a member of another Windows domain is not relevant. All that is relevant is that the PC doing the browsing is able to send IP traffic to the web server - if the web server is on a different subnet then that traffic will have to go via some kind of router.
0
 

Author Comment

by:PWyatt1
Comment Utility
Thanks Fepta:
1. They are Internet domains, and as I said before , all of the DNS servers and IIS servers are on on the same DMZ. In Subnet1 (Domain1), there are 2 DNS servers (primary and secondary), 1 domain controller, and 1 IIS server, all AD integrated. On the second subnet (Domain2, there are 2 DNS severs and a domain controller with AD integrated DNS. I want the queries coming into Domain 2 to be sent over to the IIIS server on Domain 1. The domains are completely separate as far as the Internet root directories are concerned.
2. Servers are accessible to Jo Public from the WAN to the DMZ. All the servers sit on the DMZ.
3. No NAT, just transparent mode.
4. The firewall has been configured to do the routing to the 2 different subnets, and I can ping between one and the other. Don't worry about the configuration and the routing of the firewall. That has been tested, debugged and is up and running.

I appreciate all the detailed information you are giving me, but I am a simple man with a simple question. How do I route website requests from one domain to an IIS server in a different domain? Exactly what records do I need to put into the zone of the DNS server to route to the IIS server in the other domain.

Thanks for the help.
0
 
LVL 19

Accepted Solution

by:
feptias earned 125 total points
Comment Utility
Perhaps I am looking for complexity and problems when there are none. I just assumed that you must be having some kind of problem with the DNS not behaving as you expected. Almost every web site in the World has the DNS server on a different subnet to the web server so it seemed strange that you mentioned this fact if it was causing no specific problems.

If you were to add the following 2 host records to the forward lookup zone for abcfish.com, and the DNS server on which you do it is the authoritative server for the Internet domain abcfish.com then Jo Public will be able to enter http://www.abcfish.com into his web browser and his browser will send its requests directly to 67.95.76.244:

(same as parent folder)  HOST (A)       67.95.76.244
www                            HOST (A)        67.95.76.244

An alternative, and possibly superior, method would be like this:
Suppose the web server is a member of the Internet domain wibble.com and its FQDN is websvr1.wibble.com. This means that you already have a Host (A) record in the forward lookup zone for wibble.com like this:
websvr1                     HOST (A)           67.95.76.244

So now you could add CNAME records to the forward lookup zone for abcfish.com like this:
(same as parent folder)   Alias (CNAME)          websvr1.wibble.com
www                             Alias (CNAME)          websvr1.wibble.com

The reason this second method is superior is because it gives you the option to change the IP address of the web server in a single place at some future date. Even if it is hosting the web sites for many different Internet domains, provided each of those is using a CNAME to point to it then you only need to change the Host (A) for websvr1 and that change will work for all the web sites.

I assume you already know about using host headers on the IIS server.

I really hope this is now the answer you were looking for.
0
 

Author Comment

by:PWyatt1
Comment Utility
Bingo!
Thanks for the help and the options.
You get a gold star :)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now