Solved

split dns trouble cant use external addresses to get to internal resources

Posted on 2008-10-09
4
353 Views
Last Modified: 2013-11-16
our internal domain has a different dns name, internalsite.org, than our external, externalsite.org.  our website (hosted elsewhere) uses www.externalsite.org, our email addresses use @externalsite.org

we have external dns entries set up for our web, mail and terminal servers, the external entries used to work from both on and off campus until we put in a new firewall today.  now webserver.externalsite.org works off campus, but not on!  same for mail and ts.

the firewall folks (watchguard) say we need to reconfigure our setup and put our mail and webservers into a dmz.  I'd rather not do that considering the time and work it would require.  any thoughts?  how much would it require to change the fqdn of our internal dns scheme?

any thoughts or help is much appreciated.
0
Comment
Question by:jhaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22684764
As I understand you have web, mail and TS configured on the trusted network; and you already have a DNS server which redirects the requests from the internal machines to the these servers on the externalsite.org URL.

If this is the case, then with watchguard you would not be able to reach the servers from the internal network; the reason is the WG along with many vendors cannot have the ingress interface same as the egress interface for a packet and thus the problem; many vendors like cisco allows something they implement as hairpin which allows you to do this!

With watchguard you can configure your DNS Server to rather direct the internal machines to the internal IP than the external IP which would solve the issue.

Thank you.
0
 

Accepted Solution

by:
jhaff earned 0 total points
ID: 22684803
i just fixed my own problem... i added another primary dns zone to my internal dns... so now i have internal.org and external.org as zones on my domain.  the external.org zone points our clients to the internal address before they can hit the interwebs dns.

this works for me because of my limited external presence.  dpk... i'm interested in your solution, because i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done.  

thanks for your help.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22684841
Good to know that the problem is solved! :)

>> i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done

Sorry but I did not understand what you could not configure; frankly on WG there is no configuration which is required; the only configuration what is needed is on the DNS Server; which you have already done [by adding one more zone].
Please correct me if I misunderstood.

Thank you.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22685510
My recommendation is to setup another DNS zone on your internal DNS server that matches your external zone.
Then setup zone transfers from the external zone (public) to the external zone (local) to keep DNS records in sync.
This is a straight forward solution that will solve your problem without having to reconfigure all you servers.
Cheers! Let me know if you have any more questions!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question