• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 681
  • Last Modified:

Split DNS zone questions

I followed:

http://www.amset.info/netadmin/split-dns.asp

to set up a split dns so when a user wants to check email with OWA from inside the office, he still types https://xxxxxx.dyndns.org/exchange

(I setup another zone dyndns.org in my dns on SBS 2003 R2, then entered a host record for xxxxxx with the LAN IP of our server.  

that's working, but what other settings can / should I add to allow other hostnames to be looked up outside?  so if they type wwww.dyndns.org, it will go to our outside DNS server for the answer (rather than give up?).

in other situations, where everything else has a static IP, like www.ourdomain.com is hosted outside, I guess there'd be a host * with the IP of our outside web hosting server.

but for dyndns.org, each host would have a different IP so we still need to resolve the name?
0
babaganoosh
Asked:
babaganoosh
  • 7
  • 4
2 Solutions
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you're using dyndns.org why did you set up split dns?

There's no reason to do that.  

Is your internal Active Directory Domain the same as your Internet domain?  (ie, ourdomain.com)?  Or is it a non-routable domain name such as ourdomain.local?

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
In re-reading your question, I'm wondering if you created the proper DNS Zone file records at wherever that is (either the Domain Registrar or your Web Hosting Company).  

Because it seems like you are trying to do this on the SBS and that's not where it's done.

In the Public DNS Zone file you would add a CNAME record pointing <hostname> to xxxxxx.dyndns.org if you want them to be able to use http://hostname.yourdomain.com to access your server.

Jeff
TechSoEasy
0
 
babaganooshAuthor Commented:
Jeff - the office location has dynamic DSL.  So I figured for users to get back into the exchange server (we are using pop3 connector form the external mail hosting company) I'd set up dyndns.org to get to our machine from the outside.  and then I'd like it to work on the inside too i'd do the split dns...

yeah, I would normally do what you suggested, but they don't have a static IP at the office : (

the internal domain is ourdomain.local and the email / web is hosted ouside by a hosting firm and we use  ourdomain.com
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
What do you mean by "and then I'd like it to work on the inside too"?

Whether the IP address is static or dymanic makes no difference at all regarding the need for split DNS.

If you had a static IP you would not create a CNAME record in the Public DNS Zone file, you'd create a HOST A record pointing to the SBS's IP.  So you can either do as I've suggested, or you can move your DNS Hosting from wherever it is now (either your domain registrar or Web host) to DynDNS.org.  If you move it to DynDNS.org you would then be able to create the HOST A record as normal, and then you would create a CNAME record for www pointing to your web server.

As you can see... those are just opposite solutions to the same problem.  But in either case, your local DNS on the SBS isn't touched.  Since your internal domain is .local, there should be NO problem whatsoever for resolving any routable FQDN.

Jeff
TechSoEasy
0
 
SembeeCommented:
Split DNS doesn't really work well with a dynamic DNS account.
What you should have done is configure a host in your own domain as a CNAME that points to your dynamic DNS address. That would also allow you to purchase an SSL certificate - which you cannot do on a dynamic DNS account.

Then in the local zone that is on the domain controller DNS you would create A records for the hosts.

Simon.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Isn't that what I said?

Jeff
TechSoEasy
0
 
babaganooshAuthor Commented:
interesting how 1 question spirals into loads of others!  Thanks guys for going beyond the call guys!

I ran into this problem (once you create a zone for dyndns.org in your sbs dns, then you have to also list checkip. as a host!  otherwise the dyndns updater wont work!

I'll work on the other issues you guys point out... but first, so I set up a DNS zone for dyndns.org and listed my hostname.  now I can get to the exchange server while in the office from the xxx.dyndns.org address.  but as I mention - checkip.dyndns.org fails.  is there a way to set up dns so if there's no host listed in the inhouse zone, it knows to go out to our default DNS servers to resolve things like checkip.dyndns.org?  the forwarders set for the server itself are only for entire domains not listed in the inhouse dns?

I like the idea of a cname.  I just want to get them up and running. yeah, the cert (not up to that) would be nice / i'll do the cname, then this issue would go away.   but on a general concept how do you forward when the host isn't listed in dns but the domain is?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Why did you create a zone for dyndns.org in your SBS DNS to begin with???

You should not be needing any of this, you are causing your own problems by doing so.

Your SBS's DNS should only have your internal domain name (company.local) which is created automatically when you first configure your server and run the CEICW.  

Jeff
TechSoEasy
0
 
babaganooshAuthor Commented:
'Why did you create a zone for dyndns.org in your SBS DNS to begin with???'

because I didn't think of the cname routine you suggested.  Now that I know that, I will do that... but I am also curious for the original question - when you do have a zone (domain) in your DNS, is there a way / how do you set up the DNS so that if you don't have the host listed, then the dns server in house would know to forward to the dns outside?

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"how do you set up the DNS so that if you don't have the host listed, then the dns server in house would know to forward to the dns outside"

This is how your DNS is set up by default.  If you open the DNS Manager and right click on SERVERNAME > Properties > Forwarders you will see that it states "All other DNS domains" which means that any request for a domain other than what you've configured will resolve externally.  Since you have no control over dyndns.org you should not ever be creating a DNS Zone for that domain... because if you did, you would either have to manually input the thousands of subdomains or allow the zone to be dynamically updated, which dyndns.org may or may not allow anyhow.  (Even if they did allow it, the updates would not be secure and would severely compromise the security of your server).

Jeff
TechSoEasy
0
 
babaganooshAuthor Commented:
and even if I could, they'd change within a day!  : )

Interesting.  I have to read up on secondary and stub dns servers.  Neither of these do what I am thinking, huh?  I realize the cname is the way to be doing this... but it just brings up an interesting (at least to me) issue.  DNS isn't set up to forward if the host isn't in DNS.  Only if the domain isn't in DNS, huh?

hmmm.  (again, I realize this is almost pointless - i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone).

but dns caches work the way I am thinking - if the host isn't in the cache, then it moves on to other sources... how would you push a host into the cache with a really long time to live!?  make it as part of the logon script for a machine on the LAN!?

Thanks!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"DNS isn't set up to forward if the host isn't in DNS.  Only if the domain isn't in DNS, huh?"

Yeah... because you should never add a domain that isn't yours to your internal DNS anyhow.

" i just need to add exchange.ourdomain.com cname ourhost.dyndns.org in our dns server's public dns's zone)"

Yep... that means you don't even touch your SBS's DNS Zone files... only the publicly hosted DNS Zone for ourdomain.com.

"how would you push a host into the cache with a really long time to live!?"

Can you give me a concrete example of where this might be a problem?  Because the TTL on a single host record won't matter.  Because the DNS lookup will always try to go to the domain's authoritative record for any sub-domain (host) lookup.  For example, take a look at the output for looking up sbs.techsoeasy.com:

http://centralops.net/asp/co/NsLookup.vbs.asp?domain=sbs.techsoeasy.com&type=255&server=&class=1&port=&timeout=5000&advanced=true&go.x=18&go.y=16

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now