Split DNS zone questions
I followed:
http://www.amset.info/netadmin/split-dns.asp
to set up a split dns so when a user wants to check email with OWA from inside the office, he still types https://xxxxxx.dyndns.org/exchange
(I setup another zone dyndns.org in my dns on SBS 2003 R2, then entered a host record for xxxxxx with the LAN IP of our server.
that's working, but what other settings can / should I add to allow other hostnames to be looked up outside? so if they type wwww.dyndns.org, it will go to our outside DNS server for the answer (rather than give up?).
in other situations, where everything else has a static IP, like www.ourdomain.com is hosted outside, I guess there'd be a host * with the IP of our outside web hosting server.
but for dyndns.org, each host would have a different IP so we still need to resolve the name?
http://www.amset.info/netadmin/split-dns.asp
to set up a split dns so when a user wants to check email with OWA from inside the office, he still types https://xxxxxx.dyndns.org/exchange
(I setup another zone dyndns.org in my dns on SBS 2003 R2, then entered a host record for xxxxxx with the LAN IP of our server.
that's working, but what other settings can / should I add to allow other hostnames to be looked up outside? so if they type wwww.dyndns.org, it will go to our outside DNS server for the answer (rather than give up?).
in other situations, where everything else has a static IP, like www.ourdomain.com is hosted outside, I guess there'd be a host * with the IP of our outside web hosting server.
but for dyndns.org, each host would have a different IP so we still need to resolve the name?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jeff - the office location has dynamic DSL. So I figured for users to get back into the exchange server (we are using pop3 connector form the external mail hosting company) I'd set up dyndns.org to get to our machine from the outside. and then I'd like it to work on the inside too i'd do the split dns...
yeah, I would normally do what you suggested, but they don't have a static IP at the office : (
the internal domain is ourdomain.local and the email / web is hosted ouside by a hosting firm and we use ourdomain.com
yeah, I would normally do what you suggested, but they don't have a static IP at the office : (
the internal domain is ourdomain.local and the email / web is hosted ouside by a hosting firm and we use ourdomain.com
What do you mean by "and then I'd like it to work on the inside too"?
Whether the IP address is static or dymanic makes no difference at all regarding the need for split DNS.
If you had a static IP you would not create a CNAME record in the Public DNS Zone file, you'd create a HOST A record pointing to the SBS's IP. So you can either do as I've suggested, or you can move your DNS Hosting from wherever it is now (either your domain registrar or Web host) to DynDNS.org. If you move it to DynDNS.org you would then be able to create the HOST A record as normal, and then you would create a CNAME record for www pointing to your web server.
As you can see... those are just opposite solutions to the same problem. But in either case, your local DNS on the SBS isn't touched. Since your internal domain is .local, there should be NO problem whatsoever for resolving any routable FQDN.
Jeff
TechSoEasy
Whether the IP address is static or dymanic makes no difference at all regarding the need for split DNS.
If you had a static IP you would not create a CNAME record in the Public DNS Zone file, you'd create a HOST A record pointing to the SBS's IP. So you can either do as I've suggested, or you can move your DNS Hosting from wherever it is now (either your domain registrar or Web host) to DynDNS.org. If you move it to DynDNS.org you would then be able to create the HOST A record as normal, and then you would create a CNAME record for www pointing to your web server.
As you can see... those are just opposite solutions to the same problem. But in either case, your local DNS on the SBS isn't touched. Since your internal domain is .local, there should be NO problem whatsoever for resolving any routable FQDN.
Jeff
TechSoEasy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Isn't that what I said?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
interesting how 1 question spirals into loads of others! Thanks guys for going beyond the call guys!
I ran into this problem (once you create a zone for dyndns.org in your sbs dns, then you have to also list checkip. as a host! otherwise the dyndns updater wont work!
I'll work on the other issues you guys point out... but first, so I set up a DNS zone for dyndns.org and listed my hostname. now I can get to the exchange server while in the office from the xxx.dyndns.org address. but as I mention - checkip.dyndns.org fails. is there a way to set up dns so if there's no host listed in the inhouse zone, it knows to go out to our default DNS servers to resolve things like checkip.dyndns.org? the forwarders set for the server itself are only for entire domains not listed in the inhouse dns?
I like the idea of a cname. I just want to get them up and running. yeah, the cert (not up to that) would be nice / i'll do the cname, then this issue would go away. but on a general concept how do you forward when the host isn't listed in dns but the domain is?
I ran into this problem (once you create a zone for dyndns.org in your sbs dns, then you have to also list checkip. as a host! otherwise the dyndns updater wont work!
I'll work on the other issues you guys point out... but first, so I set up a DNS zone for dyndns.org and listed my hostname. now I can get to the exchange server while in the office from the xxx.dyndns.org address. but as I mention - checkip.dyndns.org fails. is there a way to set up dns so if there's no host listed in the inhouse zone, it knows to go out to our default DNS servers to resolve things like checkip.dyndns.org? the forwarders set for the server itself are only for entire domains not listed in the inhouse dns?
I like the idea of a cname. I just want to get them up and running. yeah, the cert (not up to that) would be nice / i'll do the cname, then this issue would go away. but on a general concept how do you forward when the host isn't listed in dns but the domain is?
Why did you create a zone for dyndns.org in your SBS DNS to begin with???
You should not be needing any of this, you are causing your own problems by doing so.
Your SBS's DNS should only have your internal domain name (company.local) which is created automatically when you first configure your server and run the CEICW.
Jeff
TechSoEasy
You should not be needing any of this, you are causing your own problems by doing so.
Your SBS's DNS should only have your internal domain name (company.local) which is created automatically when you first configure your server and run the CEICW.
Jeff
TechSoEasy
ASKER
'Why did you create a zone for dyndns.org in your SBS DNS to begin with???'
because I didn't think of the cname routine you suggested. Now that I know that, I will do that... but I am also curious for the original question - when you do have a zone (domain) in your DNS, is there a way / how do you set up the DNS so that if you don't have the host listed, then the dns server in house would know to forward to the dns outside?
because I didn't think of the cname routine you suggested. Now that I know that, I will do that... but I am also curious for the original question - when you do have a zone (domain) in your DNS, is there a way / how do you set up the DNS so that if you don't have the host listed, then the dns server in house would know to forward to the dns outside?
"how do you set up the DNS so that if you don't have the host listed, then the dns server in house would know to forward to the dns outside"
This is how your DNS is set up by default. If you open the DNS Manager and right click on SERVERNAME > Properties > Forwarders you will see that it states "All other DNS domains" which means that any request for a domain other than what you've configured will resolve externally. Since you have no control over dyndns.org you should not ever be creating a DNS Zone for that domain... because if you did, you would either have to manually input the thousands of subdomains or allow the zone to be dynamically updated, which dyndns.org may or may not allow anyhow. (Even if they did allow it, the updates would not be secure and would severely compromise the security of your server).
Jeff
TechSoEasy
This is how your DNS is set up by default. If you open the DNS Manager and right click on SERVERNAME > Properties > Forwarders you will see that it states "All other DNS domains" which means that any request for a domain other than what you've configured will resolve externally. Since you have no control over dyndns.org you should not ever be creating a DNS Zone for that domain... because if you did, you would either have to manually input the thousands of subdomains or allow the zone to be dynamically updated, which dyndns.org may or may not allow anyhow. (Even if they did allow it, the updates would not be secure and would severely compromise the security of your server).
Jeff
TechSoEasy
ASKER
and even if I could, they'd change within a day! : )
Interesting. I have to read up on secondary and stub dns servers. Neither of these do what I am thinking, huh? I realize the cname is the way to be doing this... but it just brings up an interesting (at least to me) issue. DNS isn't set up to forward if the host isn't in DNS. Only if the domain isn't in DNS, huh?
hmmm. (again, I realize this is almost pointless - i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone).
but dns caches work the way I am thinking - if the host isn't in the cache, then it moves on to other sources... how would you push a host into the cache with a really long time to live!? make it as part of the logon script for a machine on the LAN!?
Thanks!
Interesting. I have to read up on secondary and stub dns servers. Neither of these do what I am thinking, huh? I realize the cname is the way to be doing this... but it just brings up an interesting (at least to me) issue. DNS isn't set up to forward if the host isn't in DNS. Only if the domain isn't in DNS, huh?
hmmm. (again, I realize this is almost pointless - i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone).
but dns caches work the way I am thinking - if the host isn't in the cache, then it moves on to other sources... how would you push a host into the cache with a really long time to live!? make it as part of the logon script for a machine on the LAN!?
Thanks!
"DNS isn't set up to forward if the host isn't in DNS. Only if the domain isn't in DNS, huh?"
Yeah... because you should never add a domain that isn't yours to your internal DNS anyhow.
" i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone)"
Yep... that means you don't even touch your SBS's DNS Zone files... only the publicly hosted DNS Zone for ourdomain.com.
"how would you push a host into the cache with a really long time to live!?"
Can you give me a concrete example of where this might be a problem? Because the TTL on a single host record won't matter. Because the DNS lookup will always try to go to the domain's authoritative record for any sub-domain (host) lookup. For example, take a look at the output for looking up sbs.techsoeasy.com:
http://centralops.net/asp/co/NsLookup.vbs.asp?domain=sbs.techsoeasy.com&type=255&server=&class=1&port=&timeout=5000&advanced=true&go.x=18&go.y=16
Jeff
TechSoEasy
Yeah... because you should never add a domain that isn't yours to your internal DNS anyhow.
" i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone)"
Yep... that means you don't even touch your SBS's DNS Zone files... only the publicly hosted DNS Zone for ourdomain.com.
"how would you push a host into the cache with a really long time to live!?"
Can you give me a concrete example of where this might be a problem? Because the TTL on a single host record won't matter. Because the DNS lookup will always try to go to the domain's authoritative record for any sub-domain (host) lookup. For example, take a look at the output for looking up sbs.techsoeasy.com:
http://centralops.net/asp/co/NsLookup.vbs.asp?domain=sbs.techsoeasy.com&type=255&server=&class=1&port=&timeout=5000&advanced=true&go.x=18&go.y=16
Jeff
TechSoEasy
There's no reason to do that.
Is your internal Active Directory Domain the same as your Internet domain? (ie, ourdomain.com)? Or is it a non-routable domain name such as ourdomain.local?
Jeff
TechSoEasy