jhaff
asked on
split dns trouble cant use external addresses to get to internal resources
our internal domain has a different dns name, internalsite.org, than our external, externalsite.org. our website (hosted elsewhere) uses www.externalsite.org, our email addresses use @externalsite.org
we have external dns entries set up for our web, mail and terminal servers, the external entries used to work from both on and off campus until we put in a new firewall today. now webserver.externalsite.org works off campus, but not on! same for mail and ts.
the firewall folks (watchguard) say we need to reconfigure our setup and put our mail and webservers into a dmz. I'd rather not do that considering the time and work it would require. any thoughts? how much would it require to change the fqdn of our internal dns scheme?
any thoughts or help is much appreciated.
we have external dns entries set up for our web, mail and terminal servers, the external entries used to work from both on and off campus until we put in a new firewall today. now webserver.externalsite.org
the firewall folks (watchguard) say we need to reconfigure our setup and put our mail and webservers into a dmz. I'd rather not do that considering the time and work it would require. any thoughts? how much would it require to change the fqdn of our internal dns scheme?
any thoughts or help is much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good to know that the problem is solved! :)
>> i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done
Sorry but I did not understand what you could not configure; frankly on WG there is no configuration which is required; the only configuration what is needed is on the DNS Server; which you have already done [by adding one more zone].
Please correct me if I misunderstood.
Thank you.
>> i attempted to route the internal machines to mail, web, and ts via the watchguard and didn't see how it could be done
Sorry but I did not understand what you could not configure; frankly on WG there is no configuration which is required; the only configuration what is needed is on the DNS Server; which you have already done [by adding one more zone].
Please correct me if I misunderstood.
Thank you.
My recommendation is to setup another DNS zone on your internal DNS server that matches your external zone.
Then setup zone transfers from the external zone (public) to the external zone (local) to keep DNS records in sync.
This is a straight forward solution that will solve your problem without having to reconfigure all you servers.
Cheers! Let me know if you have any more questions!
Then setup zone transfers from the external zone (public) to the external zone (local) to keep DNS records in sync.
This is a straight forward solution that will solve your problem without having to reconfigure all you servers.
Cheers! Let me know if you have any more questions!
If this is the case, then with watchguard you would not be able to reach the servers from the internal network; the reason is the WG along with many vendors cannot have the ingress interface same as the egress interface for a packet and thus the problem; many vendors like cisco allows something they implement as hairpin which allows you to do this!
With watchguard you can configure your DNS Server to rather direct the internal machines to the internal IP than the external IP which would solve the issue.
Thank you.