• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 381
  • Last Modified:

using DNS mngmnt to create split dns

Hi all,

after running in isa best practice report it seems that my dns may be incorrectly configured

ive posted some screens below from dns management

i need to create split dns but dont know how to do it using dns manager

can someone help me out?

the first image is from our external domain name
the second image is from our internal domain

also our website isnt hosted on our server its hosted on a web host and the ip of the web record is the external hosts server, if that helps

THanks

0
awilderbeast
Asked:
awilderbeast
5 Solutions
 
Keith AlabasterCommented:
What screens? i can't see anything.

Lets assume for your external domain you use external.com and it is hosted by an ISP on your behalf. You likely have a number of A or host records created for www.external.com, mail.external.com, extranet.external.com etc and all of these likely point to the IP address of your external router of the ISA external NIC.

Absolutely normal stuff and anyway operating outside of your organisation will get those ip addresses when they perform a lookup or make a request to those sites.

However, if someone is operating within your LAN and they try to make a connection to www.external.com then the connection will fail because they will be pointed at the external ip address, the same as a user operating externally.

In the internal DNS manager, make a new AD-integrated domain called external.com - identical to the domain name hosted on your behalf by the ISP.
Create the A or host records that you require but now give them the INTERNAL ip addresses. For example www as the host record with 192.168.10.2, mail as the host record with 192.168.10.3 etc.

Now when users are operating outside of your office and connect to www.external.com they will get the correct external ip and when they operate on the LAN  and connect www.external.com they will get the correct internal IP.

It is a useful way of being able to use the same urls regardless of where you are.

keith - ISA Forefront MVP
0
 
awilderbeastAuthor Commented:
sorry here are the screens

so its just for the mail then, for the mail.external.ord add it on the internal domain as internal ip?

and for the web which is hosted externally alotgether, i just pu tthe exteranl record in the internal aswell of just leave it?
external-domain.png
internal-domain.png
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
Keith AlabasterCommented:
You need all the records adding.

Once you add the domain into the internal DNS, internal clients and servers will see the new domain you have created and will ONLY look here for the dns records for that domain. ie Internal clients will no longer look at the ISP copy of the external.com.

So, you need to add ALL host records that are listed with the ISP for external.com into the internal dns copy with the internal ip addresses for these servers and, if www (for example) is only on the outside then for that record you would add the normal external ip address as you mention above.

0
 
Chris DentPowerShell DeveloperCommented:

Happy new year Keith :)

All records unless you only need mail, in which case recreating the zone as "mail.company.org" and adding a Host (A) Record with a blank name will have the same effect without any of the administrative overhead.

Chris
0
 
Keith AlabasterCommented:
hey Chris - Same to you :)

I tend to advise on the full approach these days - so many organisations are now making additional services available such as Sharepoint, extranet, terminal services, SSL VPN's etc that it is simpler in the long run. Yes, it is slightly more on the admin side but as it is so easy to do it covers all angles. As the asker has ISA Server and the ability to publish all of those services it made sense to me but it is their call of course.
0
 
awilderbeastAuthor Commented:
so under the domain.local i need to add a www record and a mail record for my dns to be working correctly?

how do i add the new records?

when i go to new host and type in mail.mydomain.org it says the fqdn is mail.mydomain.org.domain.local

am i doing something wrong?


thanks
0
 
Keith AlabasterCommented:
Yes - you are doing something totally wrong.

Look at mine attached.

Once you have created the new domain at the TOP level, you can right-click it and select new host records

newextdom.png
localdom.png
0
 
awilderbeastAuthor Commented:
im still a bit lost

all ive done so far is gone to mydomain.local and then created a new host record to point mail.mydomain.loca. to my internal ip

what do you mean the domain at the top level?

i have mydomain.org at the top level at the moment dont i?
0
 
Keith AlabasterCommented:
Have you looked at the images I attached? You can see that both domains are at the top level of the dns manager snap-in.

0
 
Keith AlabasterCommented:
If you have followed Chris's option then I will leave this to him. If you have followed my instructions throughout themn this is extremely simple to do.
0
 
awilderbeastAuthor Commented:
yeah im following yours keith

sorry to sound dumb but what is the top level?
0
 
Keith AlabasterCommented:
open the dns manager - select your server - then go into forward lookup zones. This is the top level where all forward zones can be viewed and created.
In here you will make an AD zone called yourexternaldomain.com or whatever it is.
Once created, you can right-click this new domain name and create the host records you need. Each host created in here needs just the server name (www, mail, sharepoint or whatever) and the internal ip address - or external ip address in the case of your www server as you stated it is external to you.
0
 
Keith AlabasterCommented:
When you create the new host records, do NOT include the domain name part as this will be recognised automatically.
0
 
awilderbeastAuthor Commented:
isnt that what i already have here though?

forward look up zones has domain.org and domain.local under there and then they have the records in, yes?
example.png
0
 
Keith AlabasterCommented:
Obviously you have masked the domain name so I cannot see it but it looks quite long - it is in the right place but you are confirming that it is the domain name only and not a FQDN?
0
 
awilderbeastAuthor Commented:
yeah the domain name is the one ending in.org

what you mean the domain name only and not the FQDN though?

i think its the domain name yeah

Thanks
0
 
Keith AlabasterCommented:
a fqdn would be something like mail.domain.com
a domain name is just the domain.com part.
0
 
awilderbeastAuthor Commented:
yeah then its the domain name

do im all good to go?

thanks for all the little explanations youve given me, helps alot! :)
0
 
Keith AlabasterCommented:
You can tell by going to an internal client PC and typing in the following at a cmd prtompt:

c:\
c:\nslookup www.yourexternaldomainname.org - should return the external IP as normal

c:\nslookup mail.yourexternaldomainname.org - should return the internal ip address


If you did this from an external client PC, you should get the external IP address back for both

0
 
Keith AlabasterCommented:
excellent :)  Thanks

Keith
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now