Solved

What is the required DNS configuration for a server to host a service thru the Internet?

Posted on 2008-06-13
11
415 Views
Last Modified: 2013-12-25
What is the required DNS configuration for a server to host a service thru the Internet?
The following is a current & real environment; High security & encryption, Border Routers, Windows 2003 Servers & Interent connected XP Dell PCs.  
Example: Domain.com; server host name: my-app.domain.com;

A Private corp communication server running a win32 app which uses Java thru the Internet to connect to other non-profit company PCs running the win32 app.  Each company has a router & public IP - the PCs use private IPs.  Domain.com has registered x.x IP Network & uses two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com.
   1a. Corp wants non-profits to setup firewall to allow access to myapp.domain.com.
   1b. Corp wants no reverse lookup capabilty from the Internet.
   2a. Non-profits wants to only allow IPs: x.x.200.88 & x.x.100.88 on their firewalls.  
   2b. Corp states that they do not publish the two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com and they may change anyway.  Again they insist that we use myapp.domain.com.  

My question: How is the DNS for the Internet configured in this environment?  [Since the corp company is using the Internet & public addresses - how can they hide their public IPs & can they prevent non-profits from using the IPs, instead of the name?  

Note: i think the questions are all answer from the same info; however, if not, i can create addtional questions, if needed.  Thanks much.
0
Comment
Question by:kbbcnet
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 11

Expert Comment

by:rowansmith
ID: 21784269
You need to explain this question a bit better...

Tell me what you want to be able to do.  What you are doing at the moment, and what is not working as you would expect.

Thanks.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21784270
You don't need to make any changes to your internet DNS records.
Modify the internal DNS only.

This can be done in 2 ways:
1. If the non-profits are using an internal DNS server, just have them add a record for myapp.domain.com that points to the corp public IP
2. If the non-profit is not using an internal DNS server, then they could add an entry to the individual PC's hosts file.
0
 
LVL 16

Author Comment

by:kbbcnet
ID: 21785514
kdearing:

You have hit on the problem and as i stated in my initial post - how to allow access thru the firewall.  
Most non-profit have internal dns; however some do not.  

Corp is not publishing their IPs and will not give out that info???
They insist that every non-profit use the dns name, instead of the IP.

i do not know why,but i think they have become paranoid about thier IPs?
In their documentation, they state if you must use an IP, then 157*.*.*.
i asked their IT dept if this is a misprnt; i have not seen this kind of firewall config.
0
 
LVL 16

Author Comment

by:kbbcnet
ID: 21785572
rowansmith:

The app uploads & download files with corp.
The app has the corp server name [myapp.mydomain.com] listed in the upload/download field.

i want to configure the non-profit firewalls to allow the app to contact the corp server and then not interfere with the java files upload/download.

There are many different firewalls, Cisco, Cisco Pix, proxies, Windows Server and the like.
Some of the firewalls can not be configured to use names, only IPs.

i always understood - if a company has a data center app setup to connect via the Internet with other companies users running the user side app; then you Dig the Internet DNS info and use this IP.
Is this not so and can corp circumvent this by (as they stated) not publishing their IPs?
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21785623
You cannot stop anyone from using IPs vs names.
Internet communication is determined by IP addresses, not by names.
A name is just a user-friendly way to use them, you don't have to remember all those numbers.
The name gets resolved into an IP address using DNS,  BEFORE it leaves your computer.

As far as the firewall is concerned, it's all about IP addresses. Unless you've specifically configured it to block certain domain names, it will work.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Expert Comment

by:kenfcamp
ID: 21785726
[You cannot stop anyone from using IPs vs names.]

While this is true, you can always try to work around it.

The easiest way is to create a virtualhost profile for the ip addy using a index page that would redirect traffic to myapp.domain.com. You will need to assign a name for it so to keep it simple you can use something like mychkapp.domain.com

Then create a virtualhost profile for myapp.domain.com

or you could always redirect traffic going to http://xxx.xxx.xx.xxx to http://myapp.domain.com

Ken
0
 
LVL 16

Author Comment

by:kbbcnet
ID: 21785734
kdearing:

i have used serveral internet tools, Dig, Nslookup, etc. the corp data center FTP resolves to an IP which does not work thru the Firewall.  Server down or not availble message.

Prior to the change of the corp IP all was working as expected.

Is their a configuration a large corp like MS, Cisco, HP, etc. could create where the ftp server name would work and the resolve IP to that server name would not?
0
 
LVL 16

Author Comment

by:kbbcnet
ID: 21785753
kenfcamp:

The problem for the non-profit sites is that the other Corp company who provides the app states they will not give out their IP, you must use the ftp server domain name in your firewalls, etc.
Suddenly the IP which the copr FTP resolves to will not work in the Firewall; where as before corp changed the IPs all worked as expected and the app connect as designed to upload/download.

My tests reveal their appears to be no reservse lookup setup on the corp site; however, i am not privy to such info and the IT dept is less than helpful.

It seems in regard to their app, it is their way or the highway.
This would not be a problem, excepting some non-profit site firewalls only work if the FTP site has an IP.
0
 
LVL 13

Expert Comment

by:kenfcamp
ID: 21785835
soooooo, what is it you are looking for? IOW, what is it you are trying to do?

As far as DNS configurations for hosted services, there aren't any so long as the DNS for the domain being used/accessed is setup properly
0
 
LVL 16

Author Comment

by:kbbcnet
ID: 21785919
kenfcamp:

i am looking for the Corp IP to add to the non-profit firewalls.
IOW
i am trying to determine if Corp has setup the FTP & hidden their real public IP.
Using something such as anonomizer or CBAC
(Corp supports over 5000 locations thru their app & has several Class B IPs [a subset of MS])
0
 
LVL 16

Accepted Solution

by:
kbbcnet earned 0 total points
ID: 21827913
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru.

Thanks.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now