[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Simplest Way to configure Internal DNS to resolve External hostname for mail host instead of Private IP

Posted on 2007-11-19
3
Medium Priority
?
5,228 Views
Last Modified: 2012-08-13
Am looking for a solution or way to setup an internal DNS resolver so our private internal LAN clients can connect to MAILHOST over its resolved hostname.
We have DHCP running on WIN 2003 Server that has private IP. Secondary NIC is free and we have a spare global IP.Currently PAT and NAT is done on each public facing IP translating to private internal.
Currently we are connecting over its private internal address and port forwarding out to our public and this is fine for the majority but of course the laptops as soon as offsite  require their SMTP / POP details to be altered and again on arrival back at work.
Idea being mailhost.whoever.com resolves externally by our external DNS allowing smtp.whoever.com to be used and pop.whoever.com to be used in the clients.
And on the LAN side an internal DNS JUST for internal clients (to ensure that mailhost.whoever.com is accessible and smtp.whoever.com + pop.whoever.com are usuable in the LAN nodes email client config.
i believe this is called split horizon dns ? however we really only want the lookups done for our mail host  not every http lookup.

Ideally if our Router supported NAT loopback we would roll with that. but as murphys law dictates ..it doesnt. and so im trying to establish a bandwidth friendly alternative.

Any suggestions guys / girls ?



0
Comment
Question by:lynuss030
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 20318307

Split Brain DNS, two Start of Authority (SoA) Servers for a single Domain. Split Horizon is used in Link State routing protocols to prohibit a route being advertised out on the interface it was learned, not quite the same thing :)

There are two different ways to achieve what you wish, the only difference really is the scope you wish to give DNS. Hopefully that will become clear in a moment.

1. Open the DNS Console
2. Expand Forward Lookup Zones
3. Create a New Forward Lookup Zone. Primary, AD Integrated.

4. This is the point where you get to decide the scope:

If you wish only to resolve mailhost.whoever.com to a private IP within your network, but nothing else within whoever.com:

Zone Name: mailhost.whoever.com (or hostname.whoever.com)

If you wish to take responsibility for all records beneath whoever.com:

Zone Name: whoever.com

5. Disabled Dynamic Updates for the Zone.
6. And add records appropriate to your Zone Name.

For a zone called mailhost.whoever.com:

Remove any Host (A) Records bound to "(same as parent folder)", add a new Host (A) Record with a Blank Name, point it at the Internal IP Address of the Server.

For whoever.com:

Add Host (A) Records, set the name to mailhost and the IP to the Internal Address of the Server.


Using this method we're treating mailhost.whoever.com as a domain in it's own right. As it's a Subdomain of whoever.com it won't have any impact on whoever.com except for the names which match the Subdomain (the rest will continue to resolve via the Public DNS). Basically we're providing an exception for a single entry beneath the whoever.com zone.

Setting the zone to whoever.com makes us responsible for everything beneath the zone, in that instance you would have to add every record you expect to resolve within the zone.

Hope that all makes sense! If anything is not clear please don't hesitate to ask for clarification.

Chris
0
 

Author Comment

by:lynuss030
ID: 20325388
HI Chris, Thanks for fast response.
OK definitely just want the mail dns setup as our current public dns im unsure of, when i do a nslookup as it currently stands i get a non authorative answer back with the correct details Name followed by global IP.

The mailserver its self does a DNS lookup of its own name before it will allow mail in and out, we don't want it resolving to its internal DNS

the public records are held with everydns.net could you confirm i dont have to change anything there ?
This setup i would like purely to allow one setting for ALL ie mail.whoever.com internally on LAN clients

The mail.whoever.com externally on HOME clients can be handled (and works well) by the external DNS

Three questions if i could:

Will the win 2003 server need a global IP and its own NIC to communicate to the outside world on 53?Currently i have a global ip setup for it and its port (53) is forwarded from a global ip to its internal private ip 192.xx.x.x would this require more port(s) forwarding and  any referencing in our public DNS NS/A/MX files?

Will this allow the current clients to keep their current configuration Ie 192.XX.XX.XX
ie either email client configuration will roll .. smtp host = 192.xx.xx OR smtp host = mail.whoever.com

Do the network clients (we do not operate AD or OD here, just file serving over AFP its a mixed plat network) need to have the private IP of the DNS server listed in their Primary DNS panel of the Internet Protocol TCP/IP prefs.

Again thanks for your support on this ..

ben


0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 20326873

Hi Ben,

Do you have a Name Server within your network which resolves Private Names and Addresses? If you had AD you would, which makes the methods above fairly safe (I assumed you did have AD, most do, after all :)).

If the only Internal Name Server is a Public one you can still make this change as long as Internal Clients refer to it. Externally it would still resolve correctly as your server is not Authoritative for the zones in question according to the Top Level Domain servers.

If you don't have a DNS Server on your LAN at all then you would either need to add one or achieve this another way.

> The mailserver its self does a DNS lookup of its own name before it
> will allow mail in and out, we don't want it resolving to its internal DNS

This may be problematic. But could be resolved by creating a different name to access the mail services on for clients, or by having the Mail Server use a different Name Server from the clients.

> the public records are held with everydns.net could you confirm
> i dont have to change anything there ?

Yep, I can confirm that. We're only looking at setting this so LAN Clients can resolve the host to a different IP from Public Clients.

> Will the win 2003 server need a global IP and its own NIC to
> communicate to the outside world on 53?

No. As far as I understood you only wanted to provide this service to LAN clients, so no one outside the LAN will need to care about it.

It will only need outbound access to continue resolving other internet names.

> Will this allow the current clients to keep their current configuration
> Ie 192.XX.XX.XX
> ie either email client configuration will roll .. smtp host = 192.xx.xx
> OR smtp host = mail.whoever.com

IP Based configuration will be completely unaffected by this change. Name based resolution will only be affected while on the LAN, and hopefully for the better.

If we were to make an internal name for mail.whoever.com then clients could happily resolve that to 192.x.x.x while on the LAN, but still correctly resolve it to the Public IP outside the LAN.

I hope that all makes sense.

Chris
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Resolve DNS query failed errors for Exchange
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question