Solved

Resolving Hostname to IP (Internal)

Posted on 2009-05-04
22
1,383 Views
Last Modified: 2012-05-06
I have internal DNS that resolves all my private hostnames to IP. I have some servers Natted via my Cisco router for client access from outside. My internal DNS server list all servers' hostname to private addresses, but when I try to access (internally) a hostname (ping, web interface via IE) it resolves to the Natted IP address, not the private. Private IP access works fine, but hostname fails as it is trying to use the Natted public address. Any reason why this would be happening considering local DNS has private address and my PC has my internal DNS listed first in the list? Any thoughts would be appreciated.
0
Comment
Question by:jwatkins49
  • 9
  • 8
  • 5
22 Comments
 
LVL 3

Expert Comment

by:keno44
ID: 24295694
Perhaps you have a DNS proxy setting that is forwarding your requests to an outside DNS server which is resolving the names to the public IP?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295768
We need more information. Are the internal and external domains the same name or separate? What records have you configured internally? The servername.internal.local or servername.external.com?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24295783
I have DNS forwarding servers, which is normal. I don't know about a DNS proxy setting that is forwarding...how would I check this?
0
 
LVL 3

Expert Comment

by:keno44
ID: 24295798
Further, is your Cisco router by chance performing your DNS lookups? Is your router configured as a DNS server?
Ken
0
 

Author Comment

by:jwatkins49
ID: 24295833
Matt,

Yes, both are the same. The server hostname is the same...I have the server hostname pointing to the internal IP address. My PC is pointing to the internal DNS server. When I ping the hostname, it resolves (ping fails, but I can see what it resolved the name to) to the public Natted address I have in my router
0
 
LVL 3

Expert Comment

by:keno44
ID: 24295854
I believe the Cisco router (if configured as a DNS server) will only forward DNS queries to an upstream DNS server. Check the 'running config' on the router to determine if it is acting as a DNS server. If it is and you dont need this functionality, you can easily turn it off.

Otherwise, what internal DNS system are you using? Windows AD..?


0
 

Author Comment

by:jwatkins49
ID: 24295882
No, it is a ASA5500 and DNS is disabled and not performing any lookups or relaying.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24295885

The internal DNS servers are only going to forward the requests upstream if they cannot resolve them internally themselves. The domains names for internal and external are the same, so forwarding is therefore not going to take place.

You should have configured the internal IP for each server in internal DNS, not the external IP. Is this what is configured?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24295895
Windows 2003
0
 
LVL 3

Expert Comment

by:keno44
ID: 24296005
From the router point of view: The only other thing I can think of is that your router is NATing traffic in both directions, in other words back to your internal network. Can you post a 'sho tech' so we can see the NAT rules and interface configuration?

From the Windows point of view: Did you recently make these entries to your internal DNS server? Do an ipconfig /all verify your DNS servers. Then ipconfig /flushdns (if you recently added the DNS records). Then check C:\WINDOWS\system32\drivers\etc\hosts (just to make sure you have no entries here).

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296057

You first need to check that the IP of the server is the ONLY DNS server IP configured on the workstation, either statically or via DHCP.

Then, open a command prompt and run the command nslookup <server.external.com>, entering a full FQDN after 'nslookup'. What output do you get back?

-Matt
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:jwatkins49
ID: 24296065
Matt,

The internal DNS servers have private IP's configured, which makes no sense why they are not resolving to the private address...
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296071

I agree with you; it makes no sense.

Can you run the nslookup commands from a workstation?
0
 
LVL 3

Expert Comment

by:keno44
ID: 24296090
Hi JW,

Try what TigerMatt is suggesting. That command will tell you which server is resolving the hostname. If NSLOOKUP reports your internal DNS server is resolving the correct internal IP(as you expect), then please post the NAT and interface config from the router.
0
 

Author Comment

by:jwatkins49
ID: 24296242
Matt,
Meant to sent this earlier...nslookup shows:

server: internal DNS server
address: internal DNS server IP

Non-authoritative answer:
name: hostname of server that I am trying to access
address: the public IP address of server that I am trying to access

What does this mean?

JoW
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24296329

The fact the response from nslookup reads a 'Non-authoritative answer' means your internal DNS server is not resolving the requests, but is instead forwarding them to the external server. The fact the request is being forwarded means two things:

a) The public IP is being returned, which for security reasons the firewall will not map it back through into the network;
b) The DNS is not set correctly on the internal DNS server

Focussing on the second point, we need to resolve that issue to get this working correctly.

You need to verify that in your DNS Server you have a zone created which matches your external zone. You said internal and external zone names are the same, so that should already be present.

Next, let's say you are using mail.domain.com externally. In the internal DNS server, you would expand the domain.com zone and create a new A record, named 'mail', which maps to the appropriate internal IP for the mail server.

You can then test because an nslookup should not return a non-authoritative answer, and the internal IP should be returned instead.

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24296558
Matt,

I ran the nslookup from my workstation versus the server,  is that what you mean?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297020

The nslookup shouldn't affect matters. The 'Non Authoritative' bit means the DNS server didn't know about the record and had to look elsewhere (via a forwarder).

Both the workstation and the server should be querying the server as the only configured DNS server, so whether you use the workstation or server is irrelevant.

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24297361
Ok,

Here is something that I just found out:

When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

What does that mean?

Thanks,
JoW
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297375

> When I ping the fqdn, I get the public IP response. If I just ping the hostname without domain attached, it returns the correct private address.

The host name is resolving internally to a different domain that what the external name is resolving to.

Can you confirm that your internal and external domain names are indeed the same as you said earlier?

-Matt
0
 

Author Comment

by:jwatkins49
ID: 24297432
Internally it has .local and externally is .com...

so we have name.local inside and name.com outside. Works fine if you use the correct domain, .local for inside & .com for outside.

I'm guessing this is how it should work?

JoW

0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24299465

That would explain matters. What you have been doing is creating the records in the .local domain; when you use .domain.com, the DNS server does not know about it so sends the request externally.

On the DNS server, you will need to create a new Forward Lookup Zone. In the DNS console right-click forward lookup zones and choose New Zone. Set it as a Primary Zone and enter domain.com as the zone name. You can disable Dynamic Updates.

Having created it, expand this new zone and create the appropriate A records there, mapping resource.domain.com to the appropriate internal IP address.

Now, testing from a workstation, you should find things work properly.

:-)

-Matt
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now