Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 426
  • Last Modified:

What is the required DNS configuration for a server to host a service thru the Internet?

What is the required DNS configuration for a server to host a service thru the Internet?
The following is a current & real environment; High security & encryption, Border Routers, Windows 2003 Servers & Interent connected XP Dell PCs.  
Example: Domain.com; server host name: my-app.domain.com;

A Private corp communication server running a win32 app which uses Java thru the Internet to connect to other non-profit company PCs running the win32 app.  Each company has a router & public IP - the PCs use private IPs.  Domain.com has registered x.x IP Network & uses two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com.
   1a. Corp wants non-profits to setup firewall to allow access to myapp.domain.com.
   1b. Corp wants no reverse lookup capabilty from the Internet.
   2a. Non-profits wants to only allow IPs: x.x.200.88 & x.x.100.88 on their firewalls.  
   2b. Corp states that they do not publish the two public IPs: x.x.200.88 & x.x.100.88 for myapp.domain.com and they may change anyway.  Again they insist that we use myapp.domain.com.  

My question: How is the DNS for the Internet configured in this environment?  [Since the corp company is using the Internet & public addresses - how can they hide their public IPs & can they prevent non-profits from using the IPs, instead of the name?  

Note: i think the questions are all answer from the same info; however, if not, i can create addtional questions, if needed.  Thanks much.
0
kbbcnet
Asked:
kbbcnet
  • 6
  • 2
  • 2
  • +1
1 Solution
 
rowansmithCommented:
You need to explain this question a bit better...

Tell me what you want to be able to do.  What you are doing at the moment, and what is not working as you would expect.

Thanks.
0
 
kdearingCommented:
You don't need to make any changes to your internet DNS records.
Modify the internal DNS only.

This can be done in 2 ways:
1. If the non-profits are using an internal DNS server, just have them add a record for myapp.domain.com that points to the corp public IP
2. If the non-profit is not using an internal DNS server, then they could add an entry to the individual PC's hosts file.
0
 
kbbcnetAuthor Commented:
kdearing:

You have hit on the problem and as i stated in my initial post - how to allow access thru the firewall.  
Most non-profit have internal dns; however some do not.  

Corp is not publishing their IPs and will not give out that info???
They insist that every non-profit use the dns name, instead of the IP.

i do not know why,but i think they have become paranoid about thier IPs?
In their documentation, they state if you must use an IP, then 157*.*.*.
i asked their IT dept if this is a misprnt; i have not seen this kind of firewall config.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
kbbcnetAuthor Commented:
rowansmith:

The app uploads & download files with corp.
The app has the corp server name [myapp.mydomain.com] listed in the upload/download field.

i want to configure the non-profit firewalls to allow the app to contact the corp server and then not interfere with the java files upload/download.

There are many different firewalls, Cisco, Cisco Pix, proxies, Windows Server and the like.
Some of the firewalls can not be configured to use names, only IPs.

i always understood - if a company has a data center app setup to connect via the Internet with other companies users running the user side app; then you Dig the Internet DNS info and use this IP.
Is this not so and can corp circumvent this by (as they stated) not publishing their IPs?
0
 
kdearingCommented:
You cannot stop anyone from using IPs vs names.
Internet communication is determined by IP addresses, not by names.
A name is just a user-friendly way to use them, you don't have to remember all those numbers.
The name gets resolved into an IP address using DNS,  BEFORE it leaves your computer.

As far as the firewall is concerned, it's all about IP addresses. Unless you've specifically configured it to block certain domain names, it will work.
0
 
kenfcampCommented:
[You cannot stop anyone from using IPs vs names.]

While this is true, you can always try to work around it.

The easiest way is to create a virtualhost profile for the ip addy using a index page that would redirect traffic to myapp.domain.com. You will need to assign a name for it so to keep it simple you can use something like mychkapp.domain.com

Then create a virtualhost profile for myapp.domain.com

or you could always redirect traffic going to http://xxx.xxx.xx.xxx to http://myapp.domain.com

Ken
0
 
kbbcnetAuthor Commented:
kdearing:

i have used serveral internet tools, Dig, Nslookup, etc. the corp data center FTP resolves to an IP which does not work thru the Firewall.  Server down or not availble message.

Prior to the change of the corp IP all was working as expected.

Is their a configuration a large corp like MS, Cisco, HP, etc. could create where the ftp server name would work and the resolve IP to that server name would not?
0
 
kbbcnetAuthor Commented:
kenfcamp:

The problem for the non-profit sites is that the other Corp company who provides the app states they will not give out their IP, you must use the ftp server domain name in your firewalls, etc.
Suddenly the IP which the copr FTP resolves to will not work in the Firewall; where as before corp changed the IPs all worked as expected and the app connect as designed to upload/download.

My tests reveal their appears to be no reservse lookup setup on the corp site; however, i am not privy to such info and the IT dept is less than helpful.

It seems in regard to their app, it is their way or the highway.
This would not be a problem, excepting some non-profit site firewalls only work if the FTP site has an IP.
0
 
kenfcampCommented:
soooooo, what is it you are looking for? IOW, what is it you are trying to do?

As far as DNS configurations for hosted services, there aren't any so long as the DNS for the domain being used/accessed is setup properly
0
 
kbbcnetAuthor Commented:
kenfcamp:

i am looking for the Corp IP to add to the non-profit firewalls.
IOW
i am trying to determine if Corp has setup the FTP & hidden their real public IP.
Using something such as anonomizer or CBAC
(Corp supports over 5000 locations thru their app & has several Class B IPs [a subset of MS])
0
 
kbbcnetAuthor Commented:
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru.

Thanks.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now