Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to create a DNS exception for an external website

Posted on 2010-09-09
Medium Priority
Last Modified: 2012-05-10
Here is my scenario: My company has an affiliation with another company (different domain, no trusts) with a VPN with access to limited, specific, IP addresses . This company has a number of websites that have external public IP addresses and different internal public IP.

When I try to get to a specific website by name (we'll call it site X) I get their standard redirect saying I am trying to get to the site from outside the network and that I should use an alternate site. If I put the site and inside IP (routed over VPN) into my hosts file I get the site I want.

How do I get this to work with out using the local hosts file? If I try to to make an entry in my DNS it wants me to create a new zone (for that domain name) which then causes problems getting to any other resource that I still get to on that domain via public DNS.

So I need to get to some resources via the internet and public DNS and I need to get to some resources via VPN routed IP addresses which are not in DNS.
Question by:TRCC_IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1

Expert Comment

ID: 33639852
You could setup a forwarder for that domain to their internal DNS servers and leverage their internal DNS configuration.  (They'll probably have provisions for any external addresses to allow their own clients access)
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33639925
You could use DNS Forwarders for the domain. Go into your DNS servr right-click the server go to properties the Forwarders tab.

Or you could add a Secondary DNS zone for the other site's domain.

Author Comment

ID: 33640103
Currently we don't have access to any of their internal DNS servers, though I can certainly request such. They are a large organization and have separate DNS for internal and external.

dariusq: Setting up a 2nd zone has caused me trouble. When I put 1 manual entry in it for a public IP on the inside of's network it breaks my resolving any of their externally published DNS names. I can see if combining a forwarder with a  2nd zone fixes the problem though. Will get back to you.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Expert Comment

ID: 33640118
Or you could create a zone (yes, not and have a single A record for . (that is dot). This might be a wierd solution, but it should work.

Author Comment

ID: 33640462
Okay, so I setup a forwarder on my DNS server so that external requests to should not break if I create my own zone for I used

Then I created the new zone ( and added the A record for X. I flushed the DNS cache and I was still getting the redirected page despite my pings now resolving the correct IP that I wanted. I closed and reopened the browser and the correct site came up! I was excited, but then found I was having problems getting to other sites that I access via the internet. On to troubleshooting right now.

Author Comment

ID: 33640647
I had to delete the zone for in order to be able to get to

I will try the suggestion for the zone next.

Accepted Solution

CGretski earned 750 total points
ID: 33640937
Your DNS servers will either use a local zone, or a fowarder for that zone (in that order) not both.

Either way you need a zone that contains the internal addresses for servers you need to access via the VPN, and external addresses for those that you access via the internet.
Ideally you'd use theirs ( if they allow your DNS servers to query theirs ) - they must already have a zone for this.
Either forward requests to them (using a forwarder), or host a copy of their zone ( requires more permissions - their servers have to allow the zone transfer to yours, could use more or less bandwidth depending on the zone & caching )

The other option is creating your own zone, and putting in it all the addresses your clients will need ( and keep them up to date )

3rd possiblity, which I think is where gremwell:was going - if the servers don't require you to access them by specific names ( ie. can you use them just by IP address ) you could create a zone company.local with only the server names in that you need to access over the VPN - then if you go to it tries to access it over the VPN (or fails if it's not a record you've setup), would still try access over the internet.  Main downside with this is the end user need to know to use to get at X internally

Author Comment

ID: 33641423
I guess I was hoping there was someway of simulating a hosts entry at the DNS level. The zone got me close but as soon as a tried any link off the main website it would break. With the hosts file entry I could browse to any link as long as it was on the same server.

For example using hosts file with entry:
I could browse links to,, etc.

With DNS zone and blank A record pointing to #.#.#.# I could get to the front page only and no links.

So there is no way to emulate what a hosts record does at the local DNS level? If that is the case then it sounds like my best bet is to get access to the internal DNS of our affiliate.

Expert Comment

ID: 33641532
Host files only match the excact name in the file ( they just prepopulate the local dns cache )
DNS will match the entire zone - either with a matching  record, or stating that no such address exists

Creating many zones for each server name ( as per gremwell ) will work like the hosts file, but you need to create zones  for all the hosts that the web page will link you to, its a lot of work & if they've already done the work best use theirs.


Expert Comment

ID: 33641555
Just a thought, if they won't give you access to their internal DNS servers  (for whatever reason they don't want you connecting to the servers) they might still be willing to give you a copy of their DNS zone file, then you could install that into your DNS server  & run a local copy -- save you the work of recreating it.

Assisted Solution

gremwell earned 750 total points
ID: 33643987
It is not very nice of them not to give you access to DNS. Normally they should be able to restrict what information you can access to minimum necessary to navigate the website they expose to you. I wonder how to you get IP addresses of their internal servers without access to their internal DNS in the first place?

Anyway, without such an access your only option is to recreate it on your side. I'm not sure if you can use off-the-shelf DNS software to really solve your problem -- fix selected FQDNs and pass the rest to other servers. It certainly can be solved by writing a custom DNS server, there are some around written in Perl which are easy to customize. Or perhaps you play with ISC BIND cache files in some wierd way. I don't know if you want even think in these directions.

Partial solution: creation individual an zone with '. IN A #.#.#.#" record for each and every host you need to access, like you have already tried. But this will still break things. You can fix and a.x, this way, but if you query for it will not go to your public servers.

Perhaps the only way to fully solve your problem is to go back to hosts files. You can probably automate their synchronization over workstation with AD policy or something.

Author Closing Comment

ID: 33876008
I have been trying to get access to one of their DNS servers but have not gotten the okay from their IT dept yet. I was hoping to have that working before closing the question, but as that is the only solution I see being truly viable I am splitting the points to the 2 techs that offered the most help.

Thanks all.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question