kbbcnet
asked on
What is the required DNS configuration for a server to host a service thru the Internet?
What is the required DNS configuration for a server to host a service thru the Internet?
The following is a current & real environment; High security & encryption, Border Routers, Windows 2003 Servers & Interent connected XP Dell PCs.
Example: Domain.com; server host name: my-app.domain.com;
A Private corp communication server running a win32 app which uses Java thru the Internet to connect to other non-profit company PCs running the win32 app. Each company has a router & public IP - the PCs use private IPs. Domain.com has registered x.x IP Network & uses two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com.
1a. Corp wants non-profits to setup firewall to allow access to myapp.domain.com.
1b. Corp wants no reverse lookup capabilty from the Internet.
2a. Non-profits wants to only allow IPs: x.x.200.88 & x.x.100.88 on their firewalls.
2b. Corp states that they do not publish the two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com and they may change anyway. Again they insist that we use myapp.domain.com.
My question: How is the DNS for the Internet configured in this environment? [Since the corp company is using the Internet & public addresses - how can they hide their public IPs & can they prevent non-profits from using the IPs, instead of the name?
Note: i think the questions are all answer from the same info; however, if not, i can create addtional questions, if needed. Thanks much.
The following is a current & real environment; High security & encryption, Border Routers, Windows 2003 Servers & Interent connected XP Dell PCs.
Example: Domain.com; server host name: my-app.domain.com;
A Private corp communication server running a win32 app which uses Java thru the Internet to connect to other non-profit company PCs running the win32 app. Each company has a router & public IP - the PCs use private IPs. Domain.com has registered x.x IP Network & uses two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com.
1a. Corp wants non-profits to setup firewall to allow access to myapp.domain.com.
1b. Corp wants no reverse lookup capabilty from the Internet.
2a. Non-profits wants to only allow IPs: x.x.200.88 & x.x.100.88 on their firewalls.
2b. Corp states that they do not publish the two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com and they may change anyway. Again they insist that we use myapp.domain.com.
My question: How is the DNS for the Internet configured in this environment? [Since the corp company is using the Internet & public addresses - how can they hide their public IPs & can they prevent non-profits from using the IPs, instead of the name?
Note: i think the questions are all answer from the same info; however, if not, i can create addtional questions, if needed. Thanks much.
You don't need to make any changes to your internet DNS records.
Modify the internal DNS only.
This can be done in 2 ways:
1. If the non-profits are using an internal DNS server, just have them add a record for myapp.domain.com that points to the corp public IP
2. If the non-profit is not using an internal DNS server, then they could add an entry to the individual PC's hosts file.
Modify the internal DNS only.
This can be done in 2 ways:
1. If the non-profits are using an internal DNS server, just have them add a record for myapp.domain.com that points to the corp public IP
2. If the non-profit is not using an internal DNS server, then they could add an entry to the individual PC's hosts file.
ASKER
kdearing:
You have hit on the problem and as i stated in my initial post - how to allow access thru the firewall.
Most non-profit have internal dns; however some do not.
Corp is not publishing their IPs and will not give out that info???
They insist that every non-profit use the dns name, instead of the IP.
i do not know why,but i think they have become paranoid about thier IPs?
In their documentation, they state if you must use an IP, then 157*.*.*.
i asked their IT dept if this is a misprnt; i have not seen this kind of firewall config.
You have hit on the problem and as i stated in my initial post - how to allow access thru the firewall.
Most non-profit have internal dns; however some do not.
Corp is not publishing their IPs and will not give out that info???
They insist that every non-profit use the dns name, instead of the IP.
i do not know why,but i think they have become paranoid about thier IPs?
In their documentation, they state if you must use an IP, then 157*.*.*.
i asked their IT dept if this is a misprnt; i have not seen this kind of firewall config.
ASKER
rowansmith:
The app uploads & download files with corp.
The app has the corp server name [myapp.mydomain.com] listed in the upload/download field.
i want to configure the non-profit firewalls to allow the app to contact the corp server and then not interfere with the java files upload/download.
There are many different firewalls, Cisco, Cisco Pix, proxies, Windows Server and the like.
Some of the firewalls can not be configured to use names, only IPs.
i always understood - if a company has a data center app setup to connect via the Internet with other companies users running the user side app; then you Dig the Internet DNS info and use this IP.
Is this not so and can corp circumvent this by (as they stated) not publishing their IPs?
The app uploads & download files with corp.
The app has the corp server name [myapp.mydomain.com] listed in the upload/download field.
i want to configure the non-profit firewalls to allow the app to contact the corp server and then not interfere with the java files upload/download.
There are many different firewalls, Cisco, Cisco Pix, proxies, Windows Server and the like.
Some of the firewalls can not be configured to use names, only IPs.
i always understood - if a company has a data center app setup to connect via the Internet with other companies users running the user side app; then you Dig the Internet DNS info and use this IP.
Is this not so and can corp circumvent this by (as they stated) not publishing their IPs?
You cannot stop anyone from using IPs vs names.
Internet communication is determined by IP addresses, not by names.
A name is just a user-friendly way to use them, you don't have to remember all those numbers.
The name gets resolved into an IP address using DNS, BEFORE it leaves your computer.
As far as the firewall is concerned, it's all about IP addresses. Unless you've specifically configured it to block certain domain names, it will work.
Internet communication is determined by IP addresses, not by names.
A name is just a user-friendly way to use them, you don't have to remember all those numbers.
The name gets resolved into an IP address using DNS, BEFORE it leaves your computer.
As far as the firewall is concerned, it's all about IP addresses. Unless you've specifically configured it to block certain domain names, it will work.
[You cannot stop anyone from using IPs vs names.]
While this is true, you can always try to work around it.
The easiest way is to create a virtualhost profile for the ip addy using a index page that would redirect traffic to myapp.domain.com. You will need to assign a name for it so to keep it simple you can use something like mychkapp.domain.com
Then create a virtualhost profile for myapp.domain.com
or you could always redirect traffic going to http://xxx.xxx.xx.xxx to http://myapp.domain.com
Ken
While this is true, you can always try to work around it.
The easiest way is to create a virtualhost profile for the ip addy using a index page that would redirect traffic to myapp.domain.com. You will need to assign a name for it so to keep it simple you can use something like mychkapp.domain.com
Then create a virtualhost profile for myapp.domain.com
or you could always redirect traffic going to http://xxx.xxx.xx.xxx to http://myapp.domain.com
Ken
ASKER
kdearing:
i have used serveral internet tools, Dig, Nslookup, etc. the corp data center FTP resolves to an IP which does not work thru the Firewall. Server down or not availble message.
Prior to the change of the corp IP all was working as expected.
Is their a configuration a large corp like MS, Cisco, HP, etc. could create where the ftp server name would work and the resolve IP to that server name would not?
i have used serveral internet tools, Dig, Nslookup, etc. the corp data center FTP resolves to an IP which does not work thru the Firewall. Server down or not availble message.
Prior to the change of the corp IP all was working as expected.
Is their a configuration a large corp like MS, Cisco, HP, etc. could create where the ftp server name would work and the resolve IP to that server name would not?
ASKER
kenfcamp:
The problem for the non-profit sites is that the other Corp company who provides the app states they will not give out their IP, you must use the ftp server domain name in your firewalls, etc.
Suddenly the IP which the copr FTP resolves to will not work in the Firewall; where as before corp changed the IPs all worked as expected and the app connect as designed to upload/download.
My tests reveal their appears to be no reservse lookup setup on the corp site; however, i am not privy to such info and the IT dept is less than helpful.
It seems in regard to their app, it is their way or the highway.
This would not be a problem, excepting some non-profit site firewalls only work if the FTP site has an IP.
The problem for the non-profit sites is that the other Corp company who provides the app states they will not give out their IP, you must use the ftp server domain name in your firewalls, etc.
Suddenly the IP which the copr FTP resolves to will not work in the Firewall; where as before corp changed the IPs all worked as expected and the app connect as designed to upload/download.
My tests reveal their appears to be no reservse lookup setup on the corp site; however, i am not privy to such info and the IT dept is less than helpful.
It seems in regard to their app, it is their way or the highway.
This would not be a problem, excepting some non-profit site firewalls only work if the FTP site has an IP.
soooooo, what is it you are looking for? IOW, what is it you are trying to do?
As far as DNS configurations for hosted services, there aren't any so long as the DNS for the domain being used/accessed is setup properly
As far as DNS configurations for hosted services, there aren't any so long as the DNS for the domain being used/accessed is setup properly
ASKER
kenfcamp:
i am looking for the Corp IP to add to the non-profit firewalls.
IOW
i am trying to determine if Corp has setup the FTP & hidden their real public IP.
Using something such as anonomizer or CBAC
(Corp supports over 5000 locations thru their app & has several Class B IPs [a subset of MS])
i am looking for the Corp IP to add to the non-profit firewalls.
IOW
i am trying to determine if Corp has setup the FTP & hidden their real public IP.
Using something such as anonomizer or CBAC
(Corp supports over 5000 locations thru their app & has several Class B IPs [a subset of MS])
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tell me what you want to be able to do. What you are doing at the moment, and what is not working as you would expect.
Thanks.