Solved

How to create a DNS exception for an external website

Posted on 2010-09-09
12
1,737 Views
Last Modified: 2012-05-10
Here is my scenario: My company has an affiliation with another company (different domain, no trusts) with a VPN with access to limited, specific, IP addresses . This company has a number of websites that have external public IP addresses and different internal public IP.

When I try to get to a specific website by name (we'll call it site X) I get their standard redirect saying I am trying to get to the site from outside the network and that I should use an alternate site. If I put the site x.company.com and inside IP (routed over VPN) into my hosts file I get the site I want.

How do I get this to work with out using the local hosts file? If I try to to make an entry in my DNS it wants me to create a new zone (for that domain name) which then causes problems getting to any other resource that I still get to on that domain via public DNS.

So I need to get to some company.com resources via the internet and public DNS and I need to get to some resources via VPN routed IP addresses which are not in DNS.
0
Comment
Question by:TRCC_IT
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:CGretski
ID: 33639852
You could setup a forwarder for that domain to their internal DNS servers and leverage their internal DNS configuration.  (They'll probably have provisions for any external addresses to allow their own clients access)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33639925
You could use DNS Forwarders for the domain. Go into your DNS servr right-click the server go to properties the Forwarders tab.

Or you could add a Secondary DNS zone for the other site's domain.
0
 

Author Comment

by:TRCC_IT
ID: 33640103
Currently we don't have access to any of their internal DNS servers, though I can certainly request such. They are a large organization and have separate DNS for internal and external.

dariusq: Setting up a 2nd zone has caused me trouble. When I put 1 manual entry in it for a public IP on the inside of company.com's network it breaks my resolving any of their externally published DNS names. I can see if combining a forwarder with a  2nd zone fixes the problem though. Will get back to you.
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33640118
Or you could create a zone x.company.com (yes, x.company.com not company.com) and have a single A record for . (that is dot). This might be a wierd solution, but it should work.
1
 

Author Comment

by:TRCC_IT
ID: 33640462
Okay, so I setup a forwarder on my DNS server so that external requests to company.com should not break if I create my own zone for company.com. I used 4.2.2.2.

Then I created the new zone (company.com) and added the A record for X. I flushed the DNS cache and I was still getting the redirected page despite my pings now resolving the correct IP that I wanted. I closed and reopened the browser and the correct site came up! I was excited, but then found I was having problems getting to other company.com sites that I access via the internet. On to troubleshooting right now.
0
 

Author Comment

by:TRCC_IT
ID: 33640647
I had to delete the zone for company.com in order to be able to get to www.company.com.

I will try the suggestion for the x.company.com zone next.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Accepted Solution

by:
CGretski earned 250 total points
ID: 33640937
Your DNS servers will either use a local zone, or a fowarder for that zone (in that order) not both.

Either way you need a zone that contains the internal addresses for servers you need to access via the VPN, and external addresses for those that you access via the internet.
Ideally you'd use theirs ( if they allow your DNS servers to query theirs ) - they must already have a zone for this.
Either forward requests to them (using a forwarder), or host a copy of their zone ( requires more permissions - their servers have to allow the zone transfer to yours, could use more or less bandwidth depending on the zone & caching )

The other option is creating your own zone, and putting in it all the addresses your clients will need ( and keep them up to date )

3rd possiblity, which I think is where gremwell:was going - if the servers don't require you to access them by specific names ( ie. can you use them just by IP address ) you could create a zone company.local with only the server names in that you need to access over the VPN - then if you go to x.company.local it tries to access it over the VPN (or fails if it's not a record you've setup), x.company.com would still try access over the internet.  Main downside with this is the end user need to know to use x.company.local to get at X internally
0
 

Author Comment

by:TRCC_IT
ID: 33641423
I guess I was hoping there was someway of simulating a hosts entry at the DNS level. The x.company.com zone got me close but as soon as a tried any link off the main website it would break. With the hosts file entry I could browse to any link as long as it was on the same server.

For example using hosts file with entry:
#.#.#.#           x.company.com
I could browse links to a.x.company.com, b.x.company.com, etc.

With DNS zone x.company.com and blank A record pointing to #.#.#.# I could get to the front page only and no links.

So there is no way to emulate what a hosts record does at the local DNS level? If that is the case then it sounds like my best bet is to get access to the internal DNS of our affiliate.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33641532
Host files only match the excact name in the file ( they just prepopulate the local dns cache )
DNS will match the entire zone - either with a matching  record, or stating that no such address exists

Creating many zones for each server name ( as per gremwell ) will work like the hosts file, but you need to create zones  for all the hosts that the web page will link you to, its a lot of work & if they've already done the work best use theirs.

0
 
LVL 7

Expert Comment

by:CGretski
ID: 33641555
Just a thought, if they won't give you access to their internal DNS servers  (for whatever reason they don't want you connecting to the servers) they might still be willing to give you a copy of their DNS zone file, then you could install that into your DNS server  & run a local copy -- save you the work of recreating it.
0
 
LVL 3

Assisted Solution

by:gremwell
gremwell earned 250 total points
ID: 33643987
It is not very nice of them not to give you access to DNS. Normally they should be able to restrict what information you can access to minimum necessary to navigate the website they expose to you. I wonder how to you get IP addresses of their internal servers without access to their internal DNS in the first place?

Anyway, without such an access your only option is to recreate it on your side. I'm not sure if you can use off-the-shelf DNS software to really solve your problem -- fix selected FQDNs and pass the rest to other servers. It certainly can be solved by writing a custom DNS server, there are some around written in Perl which are easy to customize. Or perhaps you play with ISC BIND cache files in some wierd way. I don't know if you want even think in these directions.

Partial solution: creation individual an zone with '. IN A #.#.#.#" record for each and every host you need to access, like you have already tried. But this will still break things. You can fix x.company.com and a.x,.company.com this way, but if you query for b.x.company.com it will not go to your public servers.

Perhaps the only way to fully solve your problem is to go back to hosts files. You can probably automate their synchronization over workstation with AD policy or something.
0
 

Author Closing Comment

by:TRCC_IT
ID: 33876008
I have been trying to get access to one of their DNS servers but have not gotten the okay from their IT dept yet. I was hoping to have that working before closing the question, but as that is the only solution I see being truly viable I am splitting the points to the 2 techs that offered the most help.

Thanks all.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now