How to create a DNS exception for an external website

Posted on 2010-09-09
Last Modified: 2012-05-10
Here is my scenario: My company has an affiliation with another company (different domain, no trusts) with a VPN with access to limited, specific, IP addresses . This company has a number of websites that have external public IP addresses and different internal public IP.

When I try to get to a specific website by name (we'll call it site X) I get their standard redirect saying I am trying to get to the site from outside the network and that I should use an alternate site. If I put the site and inside IP (routed over VPN) into my hosts file I get the site I want.

How do I get this to work with out using the local hosts file? If I try to to make an entry in my DNS it wants me to create a new zone (for that domain name) which then causes problems getting to any other resource that I still get to on that domain via public DNS.

So I need to get to some resources via the internet and public DNS and I need to get to some resources via VPN routed IP addresses which are not in DNS.
Question by:TRCC_IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1

Expert Comment

ID: 33639852
You could setup a forwarder for that domain to their internal DNS servers and leverage their internal DNS configuration.  (They'll probably have provisions for any external addresses to allow their own clients access)
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33639925
You could use DNS Forwarders for the domain. Go into your DNS servr right-click the server go to properties the Forwarders tab.

Or you could add a Secondary DNS zone for the other site's domain.

Author Comment

ID: 33640103
Currently we don't have access to any of their internal DNS servers, though I can certainly request such. They are a large organization and have separate DNS for internal and external.

dariusq: Setting up a 2nd zone has caused me trouble. When I put 1 manual entry in it for a public IP on the inside of's network it breaks my resolving any of their externally published DNS names. I can see if combining a forwarder with a  2nd zone fixes the problem though. Will get back to you.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 33640118
Or you could create a zone (yes, not and have a single A record for . (that is dot). This might be a wierd solution, but it should work.

Author Comment

ID: 33640462
Okay, so I setup a forwarder on my DNS server so that external requests to should not break if I create my own zone for I used

Then I created the new zone ( and added the A record for X. I flushed the DNS cache and I was still getting the redirected page despite my pings now resolving the correct IP that I wanted. I closed and reopened the browser and the correct site came up! I was excited, but then found I was having problems getting to other sites that I access via the internet. On to troubleshooting right now.

Author Comment

ID: 33640647
I had to delete the zone for in order to be able to get to

I will try the suggestion for the zone next.

Accepted Solution

CGretski earned 250 total points
ID: 33640937
Your DNS servers will either use a local zone, or a fowarder for that zone (in that order) not both.

Either way you need a zone that contains the internal addresses for servers you need to access via the VPN, and external addresses for those that you access via the internet.
Ideally you'd use theirs ( if they allow your DNS servers to query theirs ) - they must already have a zone for this.
Either forward requests to them (using a forwarder), or host a copy of their zone ( requires more permissions - their servers have to allow the zone transfer to yours, could use more or less bandwidth depending on the zone & caching )

The other option is creating your own zone, and putting in it all the addresses your clients will need ( and keep them up to date )

3rd possiblity, which I think is where gremwell:was going - if the servers don't require you to access them by specific names ( ie. can you use them just by IP address ) you could create a zone company.local with only the server names in that you need to access over the VPN - then if you go to it tries to access it over the VPN (or fails if it's not a record you've setup), would still try access over the internet.  Main downside with this is the end user need to know to use to get at X internally

Author Comment

ID: 33641423
I guess I was hoping there was someway of simulating a hosts entry at the DNS level. The zone got me close but as soon as a tried any link off the main website it would break. With the hosts file entry I could browse to any link as long as it was on the same server.

For example using hosts file with entry:
I could browse links to,, etc.

With DNS zone and blank A record pointing to #.#.#.# I could get to the front page only and no links.

So there is no way to emulate what a hosts record does at the local DNS level? If that is the case then it sounds like my best bet is to get access to the internal DNS of our affiliate.

Expert Comment

ID: 33641532
Host files only match the excact name in the file ( they just prepopulate the local dns cache )
DNS will match the entire zone - either with a matching  record, or stating that no such address exists

Creating many zones for each server name ( as per gremwell ) will work like the hosts file, but you need to create zones  for all the hosts that the web page will link you to, its a lot of work & if they've already done the work best use theirs.


Expert Comment

ID: 33641555
Just a thought, if they won't give you access to their internal DNS servers  (for whatever reason they don't want you connecting to the servers) they might still be willing to give you a copy of their DNS zone file, then you could install that into your DNS server  & run a local copy -- save you the work of recreating it.

Assisted Solution

gremwell earned 250 total points
ID: 33643987
It is not very nice of them not to give you access to DNS. Normally they should be able to restrict what information you can access to minimum necessary to navigate the website they expose to you. I wonder how to you get IP addresses of their internal servers without access to their internal DNS in the first place?

Anyway, without such an access your only option is to recreate it on your side. I'm not sure if you can use off-the-shelf DNS software to really solve your problem -- fix selected FQDNs and pass the rest to other servers. It certainly can be solved by writing a custom DNS server, there are some around written in Perl which are easy to customize. Or perhaps you play with ISC BIND cache files in some wierd way. I don't know if you want even think in these directions.

Partial solution: creation individual an zone with '. IN A #.#.#.#" record for each and every host you need to access, like you have already tried. But this will still break things. You can fix and a.x, this way, but if you query for it will not go to your public servers.

Perhaps the only way to fully solve your problem is to go back to hosts files. You can probably automate their synchronization over workstation with AD policy or something.

Author Closing Comment

ID: 33876008
I have been trying to get access to one of their DNS servers but have not gotten the okay from their IT dept yet. I was hoping to have that working before closing the question, but as that is the only solution I see being truly viable I am splitting the points to the 2 techs that offered the most help.

Thanks all.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question