Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Resolving Hostname to IP (Internal)

Posted on 2009-05-04
22
Medium Priority
?
1,410 Views
Last Modified: 2012-05-06
I have internal DNS that resolves all my private hostnames to IP. I have some servers Natted via my Cisco router for client access from outside. My internal DNS server list all servers' hostname to private addresses, but when I try to access (internally) a hostname (ping, web interface via IE) it resolves to the Natted IP address, not the private. Private IP access works fine, but hostname fails as it is trying to use the Natted public address. Any reason why this would be happening considering local DNS has private address and my PC has my internal DNS listed first in the list? Any thoughts would be appreciated.
0
Comment
Question by:jwatkins49
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 5
22 Comments
 
LVL 3

Expert Comment

by:keno44
ID: 24295694
Perhaps you have a DNS proxy setting that is forwarding your requests to an outside DNS server which is resolving the names to the public IP?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295768
We need more information. Are the internal and external domains the same name or separate? What records have you configured internally? The servername.internal.local or servername.external.com?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24295783
I have DNS forwarding servers, which is normal. I don't know about a DNS proxy setting that is forwarding...how would I check this?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 3

Expert Comment

by:keno44
ID: 24295798
Further, is your Cisco router by chance performing your DNS lookups? Is your router configured as a DNS server?
Ken
0
 

Author Comment

by:jwatkins49
ID: 24295833
Matt,

Yes, both are the same. The server hostname is the same...I have the server hostname pointing to the internal IP address. My PC is pointing to the internal DNS server. When I ping the hostname, it resolves (ping fails, but I can see what it resolved the name to) to the public Natted address I have in my router
0
 
LVL 3

Expert Comment

by:keno44
ID: 24295854
I believe the Cisco router (if configured as a DNS server) will only forward DNS queries to an upstream DNS server. Check the 'running config' on the router to determine if it is acting as a DNS server. If it is and you dont need this functionality, you can easily turn it off.

Otherwise, what internal DNS system are you using? Windows AD..?


0
 

Author Comment

by:jwatkins49
ID: 24295882
No, it is a ASA5500 and DNS is disabled and not performing any lookups or relaying.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295885

The internal DNS servers are only going to forward the requests upstream if they cannot resolve them internally themselves. The domains names for internal and external are the same, so forwarding is therefore not going to take place.

You should have configured the internal IP for each server in internal DNS, not the external IP. Is this what is configured?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24295895
Windows 2003
0
 
LVL 3

Expert Comment

by:keno44
ID: 24296005
From the router point of view: The only other thing I can think of is that your router is NATing traffic in both directions, in other words back to your internal network. Can you post a 'sho tech' so we can see the NAT rules and interface configuration?

From the Windows point of view: Did you recently make these entries to your internal DNS server? Do an ipconfig /all verify your DNS servers. Then ipconfig /flushdns (if you recently added the DNS records). Then check C:\WINDOWS\system32\drivers\etc\hosts (just to make sure you have no entries here).

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296057

You first need to check that the IP of the server is the ONLY DNS server IP configured on the workstation, either statically or via DHCP.

Then, open a command prompt and run the command nslookup <server.external.com>, entering a full FQDN after 'nslookup'. What output do you get back?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24296065
Matt,

The internal DNS servers have private IP's configured, which makes no sense why they are not resolving to the private address...
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296071

I agree with you; it makes no sense.

Can you run the nslookup commands from a workstation?
0
 
LVL 3

Expert Comment

by:keno44
ID: 24296090
Hi JW,

Try what TigerMatt is suggesting. That command will tell you which server is resolving the hostname. If NSLOOKUP reports your internal DNS server is resolving the correct internal IP(as you expect), then please post the NAT and interface config from the router.
0
 

Author Comment

by:jwatkins49
ID: 24296242
Matt,
Meant to sent this earlier...nslookup shows:

server: internal DNS server
address: internal DNS server IP

Non-authoritative answer:
name: hostname of server that I am trying to access
address: the public IP address of server that I am trying to access

What does this mean?

JoW
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296329

The fact the response from nslookup reads a 'Non-authoritative answer' means your internal DNS server is not resolving the requests, but is instead forwarding them to the external server. The fact the request is being forwarded means two things:

a) The public IP is being returned, which for security reasons the firewall will not map it back through into the network;
b) The DNS is not set correctly on the internal DNS server

Focussing on the second point, we need to resolve that issue to get this working correctly.

You need to verify that in your DNS Server you have a zone created which matches your external zone. You said internal and external zone names are the same, so that should already be present.

Next, let's say you are using mail.domain.com externally. In the internal DNS server, you would expand the domain.com zone and create a new A record, named 'mail', which maps to the appropriate internal IP for the mail server.

You can then test because an nslookup should not return a non-authoritative answer, and the internal IP should be returned instead.

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24296558
Matt,

I ran the nslookup from my workstation versus the server,  is that what you mean?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297020

The nslookup shouldn't affect matters. The 'Non Authoritative' bit means the DNS server didn't know about the record and had to look elsewhere (via a forwarder).

Both the workstation and the server should be querying the server as the only configured DNS server, so whether you use the workstation or server is irrelevant.

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24297361
Ok,

Here is something that I just found out:

When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

What does that mean?

Thanks,
JoW
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297375

> When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

The host name is resolving internally to a different domain that what the external name is resolving to.

Can you confirm that your internal and external domain names are indeed the same as you said earlier?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24297432
Internally it has .local and externally is .com...

so we have name.local inside and name.com outside. Works fine if you use the correct domain, .local for inside & .com for outside.

I'm guessing this is how it should work?

JoW

0
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 24299465

That would explain matters. What you have been doing is creating the records in the .local domain; when you use .domain.com, the DNS server does not know about it so sends the request externally.

On the DNS server, you will need to create a new Forward Lookup Zone. In the DNS console right-click forward lookup zones and choose New Zone. Set it as a Primary Zone and enter domain.com as the zone name. You can disable Dynamic Updates.

Having created it, expand this new zone and create the appropriate A records there, mapping resource.domain.com to the appropriate internal IP address.

Now, testing from a workstation, you should find things work properly.

:-)

-Matt
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question