Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1418
  • Last Modified:

Resolving Hostname to IP (Internal)

I have internal DNS that resolves all my private hostnames to IP. I have some servers Natted via my Cisco router for client access from outside. My internal DNS server list all servers' hostname to private addresses, but when I try to access (internally) a hostname (ping, web interface via IE) it resolves to the Natted IP address, not the private. Private IP access works fine, but hostname fails as it is trying to use the Natted public address. Any reason why this would be happening considering local DNS has private address and my PC has my internal DNS listed first in the list? Any thoughts would be appreciated.
0
jwatkins49
Asked:
jwatkins49
  • 9
  • 8
  • 5
1 Solution
 
keno44Commented:
Perhaps you have a DNS proxy setting that is forwarding your requests to an outside DNS server which is resolving the names to the public IP?
0
 
tigermattCommented:
We need more information. Are the internal and external domains the same name or separate? What records have you configured internally? The servername.internal.local or servername.external.com?

-Matt
0
 
jwatkins49Author Commented:
I have DNS forwarding servers, which is normal. I don't know about a DNS proxy setting that is forwarding...how would I check this?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
keno44Commented:
Further, is your Cisco router by chance performing your DNS lookups? Is your router configured as a DNS server?
Ken
0
 
jwatkins49Author Commented:
Matt,

Yes, both are the same. The server hostname is the same...I have the server hostname pointing to the internal IP address. My PC is pointing to the internal DNS server. When I ping the hostname, it resolves (ping fails, but I can see what it resolved the name to) to the public Natted address I have in my router
0
 
keno44Commented:
I believe the Cisco router (if configured as a DNS server) will only forward DNS queries to an upstream DNS server. Check the 'running config' on the router to determine if it is acting as a DNS server. If it is and you dont need this functionality, you can easily turn it off.

Otherwise, what internal DNS system are you using? Windows AD..?


0
 
jwatkins49Author Commented:
No, it is a ASA5500 and DNS is disabled and not performing any lookups or relaying.
0
 
tigermattCommented:

The internal DNS servers are only going to forward the requests upstream if they cannot resolve them internally themselves. The domains names for internal and external are the same, so forwarding is therefore not going to take place.

You should have configured the internal IP for each server in internal DNS, not the external IP. Is this what is configured?

-Matt
0
 
jwatkins49Author Commented:
Windows 2003
0
 
keno44Commented:
From the router point of view: The only other thing I can think of is that your router is NATing traffic in both directions, in other words back to your internal network. Can you post a 'sho tech' so we can see the NAT rules and interface configuration?

From the Windows point of view: Did you recently make these entries to your internal DNS server? Do an ipconfig /all verify your DNS servers. Then ipconfig /flushdns (if you recently added the DNS records). Then check C:\WINDOWS\system32\drivers\etc\hosts (just to make sure you have no entries here).

0
 
tigermattCommented:

You first need to check that the IP of the server is the ONLY DNS server IP configured on the workstation, either statically or via DHCP.

Then, open a command prompt and run the command nslookup <server.external.com>, entering a full FQDN after 'nslookup'. What output do you get back?

-Matt
0
 
jwatkins49Author Commented:
Matt,

The internal DNS servers have private IP's configured, which makes no sense why they are not resolving to the private address...
0
 
tigermattCommented:

I agree with you; it makes no sense.

Can you run the nslookup commands from a workstation?
0
 
keno44Commented:
Hi JW,

Try what TigerMatt is suggesting. That command will tell you which server is resolving the hostname. If NSLOOKUP reports your internal DNS server is resolving the correct internal IP(as you expect), then please post the NAT and interface config from the router.
0
 
jwatkins49Author Commented:
Matt,
Meant to sent this earlier...nslookup shows:

server: internal DNS server
address: internal DNS server IP

Non-authoritative answer:
name: hostname of server that I am trying to access
address: the public IP address of server that I am trying to access

What does this mean?

JoW
0
 
tigermattCommented:

The fact the response from nslookup reads a 'Non-authoritative answer' means your internal DNS server is not resolving the requests, but is instead forwarding them to the external server. The fact the request is being forwarded means two things:

a) The public IP is being returned, which for security reasons the firewall will not map it back through into the network;
b) The DNS is not set correctly on the internal DNS server

Focussing on the second point, we need to resolve that issue to get this working correctly.

You need to verify that in your DNS Server you have a zone created which matches your external zone. You said internal and external zone names are the same, so that should already be present.

Next, let's say you are using mail.domain.com externally. In the internal DNS server, you would expand the domain.com zone and create a new A record, named 'mail', which maps to the appropriate internal IP for the mail server.

You can then test because an nslookup should not return a non-authoritative answer, and the internal IP should be returned instead.

-Matt
0
 
jwatkins49Author Commented:
Matt,

I ran the nslookup from my workstation versus the server,  is that what you mean?
0
 
tigermattCommented:

The nslookup shouldn't affect matters. The 'Non Authoritative' bit means the DNS server didn't know about the record and had to look elsewhere (via a forwarder).

Both the workstation and the server should be querying the server as the only configured DNS server, so whether you use the workstation or server is irrelevant.

-Matt
0
 
jwatkins49Author Commented:
Ok,

Here is something that I just found out:

When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

What does that mean?

Thanks,
JoW
0
 
tigermattCommented:

> When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

The host name is resolving internally to a different domain that what the external name is resolving to.

Can you confirm that your internal and external domain names are indeed the same as you said earlier?

-Matt
0
 
jwatkins49Author Commented:
Internally it has .local and externally is .com...

so we have name.local inside and name.com outside. Works fine if you use the correct domain, .local for inside & .com for outside.

I'm guessing this is how it should work?

JoW

0
 
tigermattCommented:

That would explain matters. What you have been doing is creating the records in the .local domain; when you use .domain.com, the DNS server does not know about it so sends the request externally.

On the DNS server, you will need to create a new Forward Lookup Zone. In the DNS console right-click forward lookup zones and choose New Zone. Set it as a Primary Zone and enter domain.com as the zone name. You can disable Dynamic Updates.

Having created it, expand this new zone and create the appropriate A records there, mapping resource.domain.com to the appropriate internal IP address.

Now, testing from a workstation, you should find things work properly.

:-)

-Matt
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 9
  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now