Two domain names, one DNS server, one IIS: How do I get the second domain name working.

I have two domain names registered, lets call them:
yy.org (old, and working)
xx.org

Our organizations domain is yy.org... In our "charlie" server acts as a name server (we run DNS). One of the entries is for "www" which redirects to our external IP/router (and the router ends up routing the IP to the correct internal server running IIS).

That all works fine. If someone goes to www.yy.org they go to our website.

The problem is, we now want the new domain (xx.org) to do the same thing. But, because the domain is yy.org and not xx.org, it seems like the DNS server is not responding with the external IP (because its supposed to respond to www.yy.org and not www.xx.org ).

How do I resolve this? My DNS server knowledge is rather weak. I assume I may have to create some sort of another "xx.org" domain on our charlie server then setup "www".

note: We are using IIS7, so I can setup bindings once we get the DNS issue resolved.
AFSTechAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:
Hmmm

I really can't go as far as saying algomafamilyservices.org works. The setup you have is awful, it might get by, but that doesn't mean it's correct. I strongly recommend you consider paying someone else to host your public DNS infrastructure. It's not expensive, but will be far more robust and reliable than this.

If you set up golfforekids.ca along the same lines you'll end up with a pretty seriously flawed and generally unreliable system. Not to mention the difficulty involved in debugging things when they go wrong.

These are the problems:

1. Name Servers listed at parent do not match Name Servers listed on responding name servers

Parent says:

 algomafamilyservices.org. 86400 IN NS ns4.everydns.net.
 algomafamilyservices.org. 86400 IN NS ns2.everydns.net.
 algomafamilyservices.org. 86400 IN NS ns1.algomafamilyservices.org.
 algomafamilyservices.org. 86400 IN NS ns3.everydns.net.

ns1.algomafamilyservices.org says:

 algomafamilyservices.org. 3600 IN NS golf.algomafamilyservices.org.
 algomafamilyservices.org. 3600 IN NS charlie.algomafamilyservices.org.

2. Lame name servers

None of the everydns.net servers respond to requests. Only ns1.algomafamilyservices.org.

3. Private IP Addresses advertised for NS records

None of your name servers list public IP addresses, they only list private IP addresses. This makes the NS record set pretty useless.

 golf.algomafamilyservices.org. 1200 IN A 10.10.0.16
 charlie.algomafamilyservices.org. 3600 IN A 10.10.0.10

4. Zone is shared with Active Directory

While this is not inherently bad it makes the configuration of the zone far more complex and exposes information you may not necessarily want to make public. For instance, I know these are your Global Catalog servers and therefore Domain Controllers:

 charlie.algomafamilyservices.org.
 golf.algomafamilyservices.org.
 wawa.algomafamilyservices.org.
 elake.algomafamilyservices.org.

5. Authoritative server responds to Recursive Queries

I mean I can do this:

nslookup www.google.com ns1.algomafamilyservices.org

This opens you up to Denial of Service attacks. This cannot be effectively restricted in MS DNS as long as the DNS service is shared.

6. Domain Name points to server outside of domain

For an AD Domain this is bad:

algomafamilyservices.org. 3600 IN A 209.105.201.195

It *must* point to your Domain Controller IP addresses if you expect Group Policy and DFS to work correctly within your organisation.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

You're right in thinking that you'd need a Forward Lookup Zone for yy.org, without that your server has no means of giving an answer.

I assume that you handle the DNS service entirely? And that you've sorted out the name servers for the domain with the registrar (if that's relevant)?

Chris
0
 
AFSTechAuthor Commented:
Yes, right now our DNS server is doing everything. The registrar is "ns1.xx.org" and when I use nslookup it hits our server, thats where it does not find our external IP.

Without the www this is what we get:
yy.org: many addresses, including our external IP
xx.org: Nothing in terms of IPs (other then the address of the internal DNS server)

www.yy.org: Our external IP (this is the www entry doing this, and this is what we want)
www.xx.org: Wrong IP from misc site that says "this site is under construction" (our registrar doing this probably).
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
ActiveDirectorymanCommented:

Yes you need to setup another dns domain on the dns server and setup a  cname record .   because when a client  types in www.xx.org it will contact a dns server on its local lan if it does have the record in its cache or host table.  if the dns server on the local lan does not have the record than the dns server will contact the root servers on the internet.   the .org root server will refer the request for xx.org to your dns server which will have the dns records for xx.org so you need to have a dns domain setup on your dns server for name resolution so clients on the interent know how to get to you or find you on the internet.
0
 
AFSTechAuthor Commented:
Thats what I have figured. But the problem has been I do not know what to do beyond that.

I do not want to try random things on this server. Creating a primary zone, secondary zone an stub zone all sounds like something else.
0
 
Chris DentPowerShell DeveloperCommented:

www.xx.org: Wrong IP from misc site that says "this site is under construction" (our registrar doing this probably).

If you run "nslookup www.xx.org" what do you get back at the moment? Presumably the wrong IP?

We have two parts to this, the first is DNS. Are you actually running the name server for xx.org? The failure to get what you want suggests not. If you plan to, you will need to change servers with the registrar. If not, you will need to request changes, or make changes, to the existing zone (with whoever hosts that).

Breaking that down:

1. Establish who hosts the zone (perhaps try: nslookup -q=ns xx.org)
2. Request or make the changes (may need to you create a Forward Lookup zone for xx.org)

Once you're past that you're on to the web server, and it sounds like you have that bit down.

Chris
0
 
AFSTechAuthor Commented:
"nslookup -q=ns xx.org"

Gives me no name servers, but list the FQDN and the IP of that server hosting the DNS.

"nslookup -q=ns www.xx.org"
This also gives the FQDN and IP of the DNS server (charlie). But it list ns1.xx.org along with three other entries ns2.meganameservers.com (to ns4) .All these ns# entries are under "non-authoritative answer". I cannot get rid of all three of them because they require at least 2 entries... But I figure it always tries ns1 first, so it should not matter...

I amuse what happens is when it hits our DNS (because of ns1) it does not resolve correctly, so its ns2 that resolves to the "under construction" page.

Another weird note: Few days ago after having this exact setup (trying misc settings in the registrar), the redirect was working for a short while.
0
 
Chris DentPowerShell DeveloperCommented:

> ... But I figure it always tries ns1 first,

It does not. Order is rotated.

Can you share the real domain names? Might be easier to see what's going on.

Chris
0
 
AFSTechAuthor Commented:
its www.golfforekids.ca

I removed the ns3 and ns4 from the registrar, but apparently those changes havent taken effect.  
0
 
Chris DentPowerShell DeveloperCommented:
Cool thanks :)

Okay, that looks good, all name servers respond, and all name servers provide the same answer with and without www.

So, is the answer right? I get back 216.251.32.99. Is that up to date?

Chris
0
 
AFSTechAuthor Commented:
No, the IP ending with 195 (ns1) is the correct IP. The firewire there directs the DNS request to our DNS server, while other request (HTTP) to our IIS server.
0
 
Chris DentPowerShell DeveloperCommented:

Hmm no addresses ending with 195 are listed. But if you're waiting on updates with the registrar that may explain that, it's one of the few things we cannot do much to check.

Chris
0
 
AFSTechAuthor Commented:
I have another DNS that has 3 other DNS entries that are 3 incorrect IPs... Despite this fact the URL works 100% of the time...

Its almost like this error is being caused when they try to check the validity of the DNS on our server, and when they realize its not right, they always respond with there own "Internet address".

I think whats most important is to fix the issue on the server first, then the registrar issue should resolve itself after I resubmit the correct information...
0
 
Chris DentPowerShell DeveloperCommented:
I'm afraid I don't follow this:

> Its almost like this error is being caused when they try to check the validity of the DNS on our server, and when they realize its not right, ]
> they always respond with there own "Internet address".

Who is they?

The only people who will check DNS servers would be the registrar. But that'll be at the point you define them, never after. Beyond that DNS is simple, it responds with exactly the information you tell it to. If the entries, or name servers I quoted above are wrong that needs to be addressed.

Chris
0
 
AFSTechAuthor Commented:
In golfforekids.ca under name server I have:
ns1.golfforekids.ca 209.105.201.195
ns2.meganameservers.com (no IP)

The second entry needs to be there, it needs 0 or 2 to 13 entries.

in algomafamilyservices.org    (which www.algomafamilyservices.org works because a www entrie in our dns server)
ns1.algomafamilyservices.org 209.105.201.195
ns2.everydns.net (no ip)
ns3.everydns.net (no ip)
ns4.everydns.net (no ip)

All my DNS request hit my ISP DNS server, so even at home I cannot look at the packets and know what happens beyond that... but what I think happens is the DNS request does not find an entry for www.golfforekids.ca, so it goes to one of the meganameservers.com entries to display the "under construction" page.
0
 
Chris DentPowerShell DeveloperCommented:

> but what I think happens is the DNS request does not find an entry for www.golfforekids.ca, so it goes to one of the meganameservers.com
> entries to display the "under construction" page.

It doesn't. DNS just doesn't work like that.

ns1.algomafamilyservices.org lists:

www.golfforekids.ca. 657 IN A 216.251.32.99

But nothing for "golfforekids.ca". Even so, you think the entry above is incorrect?

It does not have an NS Record for ns1.algomafamilyservices.org, and nor does the registrar, meaning no one will ever ask ns1.algomafamilyservices.org for an answer about golfforekids.ca.

If the Host (A) record for www.golfforekids.ca is incorrect you need to get it changed with meganameservers.com. That's the only place anyone will look for an answer at the moment.

Chris
0
 
AFSTechAuthor Commented:
I understand that, I am saying algomafamilyservices.org setup is working correctly with those settings.

The algomafamilyservices.org points to 209.105.201.195, which is what we want.
the golfforekids.ca points to 216.251.32.99, but we want it to point to 209.105.201.195.

They are two different domain names, but I both want them to point to the same IP.

As I have mentioned somewhere in one of my previous post, the settings I had DID work for at least a few hours last Friday.
0
 
AFSTechAuthor Commented:
> If the Host (A) record for www.golfforekids.ca is incorrect you need to get it changed with meganameservers.com. That's the only place anyone will look for an answer at the moment.

Ok I will try that. That is a completely different setup then our other working domain name, but I do understand your logic.
0
 
Chris DentPowerShell DeveloperCommented:
Normally you need this to make the two names work:

golfforekids.ca.   Host (A)   209.105.201.195
www.golfforekids.ca.   Host (A)   209.105.201.195

An alternative to that is:

golfforekids.ca.   Host (A)   209.105.201.195
www.golfforekids.ca.   Alias (CNAME)  golfforekids.ca.

Both are perfectly acceptable and will tell anyone asking that they should talk to 209.105.201.195 about each name.

At the moment you have an entry for both, pointing at 216.251.32.99 on ns1.algomafamilyservices.org.

Chris
0
 
AFSTechAuthor Commented:
No luck. It only allows me to create name servers based on the golfforekids.ca domain name.... so things like www.golfforekids.ca and ns1.golfforekids.ca, etc...

If I put in other names servers like meganameservers.com or ns1.meganameservers.com they get added but without an IP.

Anyway... we just changed things around. We added another DNS to another server and are using a second of our external IPs to point to that server... So with any luck this setup will effectively work the same way our first site (www.algomafamilyservices.org) works....
0
 
AFSTechAuthor Commented:
Interesting information. I have also noticed some of these weaknesses (like the public AD, private IP address broadcast, and the everydns issue) I will pass it along to the other IT staff.

I am the programmer here, so server management is not my area of expertise (although that knowledge is quickly increasing).

Either way, ill give this a day or two. This way we could at least get it "working". But we have also discussed getting a third party to host the DNS, but we want to save money if possible (we are a non-profit organization).
0
 
Chris DentPowerShell DeveloperCommented:
Ah good, at least it's not your problem :)

Hosting it is understandable, it's just I believe it to be false economy unless you have existing in-house skills. While I think DNS is simple, it's also easy to get very wrong.

Anyway, please do say if you need anything else. It'll be very difficult putting it in a reliable / sane state as long as AD is in the mix. Perhaps suggest they take a look at zoneedit.com?

http://www.zoneedit.com/

They're very good, especially at the price :)

Chris
0
 
AFSTechAuthor Commented:
Passed this information on to the IT who take care of our DNS. In the meantime the "2 DNS" solution is currently "working"...
0
All Courses

From novice to tech pro — start learning today.