Solved

Two domain names, one DNS server, one IIS: How do I get the second domain name working.

Posted on 2011-03-22
23
809 Views
Last Modified: 2012-06-21
I have two domain names registered, lets call them:
yy.org (old, and working)
xx.org

Our organizations domain is yy.org... In our "charlie" server acts as a name server (we run DNS). One of the entries is for "www" which redirects to our external IP/router (and the router ends up routing the IP to the correct internal server running IIS).

That all works fine. If someone goes to www.yy.org they go to our website.

The problem is, we now want the new domain (xx.org) to do the same thing. But, because the domain is yy.org and not xx.org, it seems like the DNS server is not responding with the external IP (because its supposed to respond to www.yy.org and not www.xx.org ).

How do I resolve this? My DNS server knowledge is rather weak. I assume I may have to create some sort of another "xx.org" domain on our charlie server then setup "www".

note: We are using IIS7, so I can setup bindings once we get the DNS issue resolved.
0
Comment
Question by:AFSTech
  • 12
  • 10
23 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35189529

You're right in thinking that you'd need a Forward Lookup Zone for yy.org, without that your server has no means of giving an answer.

I assume that you handle the DNS service entirely? And that you've sorted out the name servers for the domain with the registrar (if that's relevant)?

Chris
0
 

Author Comment

by:AFSTech
ID: 35189597
Yes, right now our DNS server is doing everything. The registrar is "ns1.xx.org" and when I use nslookup it hits our server, thats where it does not find our external IP.

Without the www this is what we get:
yy.org: many addresses, including our external IP
xx.org: Nothing in terms of IPs (other then the address of the internal DNS server)

www.yy.org: Our external IP (this is the www entry doing this, and this is what we want)
www.xx.org: Wrong IP from misc site that says "this site is under construction" (our registrar doing this probably).
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35189607

Yes you need to setup another dns domain on the dns server and setup a  cname record .   because when a client  types in www.xx.org it will contact a dns server on its local lan if it does have the record in its cache or host table.  if the dns server on the local lan does not have the record than the dns server will contact the root servers on the internet.   the .org root server will refer the request for xx.org to your dns server which will have the dns records for xx.org so you need to have a dns domain setup on your dns server for name resolution so clients on the interent know how to get to you or find you on the internet.
0
 

Author Comment

by:AFSTech
ID: 35189797
Thats what I have figured. But the problem has been I do not know what to do beyond that.

I do not want to try random things on this server. Creating a primary zone, secondary zone an stub zone all sounds like something else.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35189867

> www.xx.org: Wrong IP from misc site that says "this site is under construction" (our registrar doing this probably).

If you run "nslookup www.xx.org" what do you get back at the moment? Presumably the wrong IP?

We have two parts to this, the first is DNS. Are you actually running the name server for xx.org? The failure to get what you want suggests not. If you plan to, you will need to change servers with the registrar. If not, you will need to request changes, or make changes, to the existing zone (with whoever hosts that).

Breaking that down:

1. Establish who hosts the zone (perhaps try: nslookup -q=ns xx.org)
2. Request or make the changes (may need to you create a Forward Lookup zone for xx.org)

Once you're past that you're on to the web server, and it sounds like you have that bit down.

Chris
0
 

Author Comment

by:AFSTech
ID: 35190164
"nslookup -q=ns xx.org"

Gives me no name servers, but list the FQDN and the IP of that server hosting the DNS.

"nslookup -q=ns www.xx.org"
This also gives the FQDN and IP of the DNS server (charlie). But it list ns1.xx.org along with three other entries ns2.meganameservers.com (to ns4) .All these ns# entries are under "non-authoritative answer". I cannot get rid of all three of them because they require at least 2 entries... But I figure it always tries ns1 first, so it should not matter...

I amuse what happens is when it hits our DNS (because of ns1) it does not resolve correctly, so its ns2 that resolves to the "under construction" page.

Another weird note: Few days ago after having this exact setup (trying misc settings in the registrar), the redirect was working for a short while.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35190451

> ... But I figure it always tries ns1 first,

It does not. Order is rotated.

Can you share the real domain names? Might be easier to see what's going on.

Chris
0
 

Author Comment

by:AFSTech
ID: 35190697
its www.golfforekids.ca

I removed the ns3 and ns4 from the registrar, but apparently those changes havent taken effect.  
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35190734
Cool thanks :)

Okay, that looks good, all name servers respond, and all name servers provide the same answer with and without www.

So, is the answer right? I get back 216.251.32.99. Is that up to date?

Chris
0
 

Author Comment

by:AFSTech
ID: 35190980
No, the IP ending with 195 (ns1) is the correct IP. The firewire there directs the DNS request to our DNS server, while other request (HTTP) to our IIS server.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35191084

Hmm no addresses ending with 195 are listed. But if you're waiting on updates with the registrar that may explain that, it's one of the few things we cannot do much to check.

Chris
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:AFSTech
ID: 35198560
I have another DNS that has 3 other DNS entries that are 3 incorrect IPs... Despite this fact the URL works 100% of the time...

Its almost like this error is being caused when they try to check the validity of the DNS on our server, and when they realize its not right, they always respond with there own "Internet address".

I think whats most important is to fix the issue on the server first, then the registrar issue should resolve itself after I resubmit the correct information...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35198719
I'm afraid I don't follow this:

> Its almost like this error is being caused when they try to check the validity of the DNS on our server, and when they realize its not right, ]
> they always respond with there own "Internet address".

Who is they?

The only people who will check DNS servers would be the registrar. But that'll be at the point you define them, never after. Beyond that DNS is simple, it responds with exactly the information you tell it to. If the entries, or name servers I quoted above are wrong that needs to be addressed.

Chris
0
 

Author Comment

by:AFSTech
ID: 35198827
In golfforekids.ca under name server I have:
ns1.golfforekids.ca 209.105.201.195
ns2.meganameservers.com (no IP)

The second entry needs to be there, it needs 0 or 2 to 13 entries.

in algomafamilyservices.org    (which www.algomafamilyservices.org works because a www entrie in our dns server)
ns1.algomafamilyservices.org 209.105.201.195
ns2.everydns.net (no ip)
ns3.everydns.net (no ip)
ns4.everydns.net (no ip)

All my DNS request hit my ISP DNS server, so even at home I cannot look at the packets and know what happens beyond that... but what I think happens is the DNS request does not find an entry for www.golfforekids.ca, so it goes to one of the meganameservers.com entries to display the "under construction" page.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35198887

> but what I think happens is the DNS request does not find an entry for www.golfforekids.ca, so it goes to one of the meganameservers.com
> entries to display the "under construction" page.

It doesn't. DNS just doesn't work like that.

ns1.algomafamilyservices.org lists:

www.golfforekids.ca. 657 IN A 216.251.32.99

But nothing for "golfforekids.ca". Even so, you think the entry above is incorrect?

It does not have an NS Record for ns1.algomafamilyservices.org, and nor does the registrar, meaning no one will ever ask ns1.algomafamilyservices.org for an answer about golfforekids.ca.

If the Host (A) record for www.golfforekids.ca is incorrect you need to get it changed with meganameservers.com. That's the only place anyone will look for an answer at the moment.

Chris
0
 

Author Comment

by:AFSTech
ID: 35198940
I understand that, I am saying algomafamilyservices.org setup is working correctly with those settings.

The algomafamilyservices.org points to 209.105.201.195, which is what we want.
the golfforekids.ca points to 216.251.32.99, but we want it to point to 209.105.201.195.

They are two different domain names, but I both want them to point to the same IP.

As I have mentioned somewhere in one of my previous post, the settings I had DID work for at least a few hours last Friday.
0
 

Author Comment

by:AFSTech
ID: 35198947
> If the Host (A) record for www.golfforekids.ca is incorrect you need to get it changed with meganameservers.com. That's the only place anyone will look for an answer at the moment.

Ok I will try that. That is a completely different setup then our other working domain name, but I do understand your logic.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35198973
Normally you need this to make the two names work:

golfforekids.ca.   Host (A)   209.105.201.195
www.golfforekids.ca.   Host (A)   209.105.201.195

An alternative to that is:

golfforekids.ca.   Host (A)   209.105.201.195
www.golfforekids.ca.   Alias (CNAME)  golfforekids.ca.

Both are perfectly acceptable and will tell anyone asking that they should talk to 209.105.201.195 about each name.

At the moment you have an entry for both, pointing at 216.251.32.99 on ns1.algomafamilyservices.org.

Chris
0
 

Author Comment

by:AFSTech
ID: 35199082
No luck. It only allows me to create name servers based on the golfforekids.ca domain name.... so things like www.golfforekids.ca and ns1.golfforekids.ca, etc...

If I put in other names servers like meganameservers.com or ns1.meganameservers.com they get added but without an IP.

Anyway... we just changed things around. We added another DNS to another server and are using a second of our external IPs to point to that server... So with any luck this setup will effectively work the same way our first site (www.algomafamilyservices.org) works....
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 35199301
Hmmm

I really can't go as far as saying algomafamilyservices.org works. The setup you have is awful, it might get by, but that doesn't mean it's correct. I strongly recommend you consider paying someone else to host your public DNS infrastructure. It's not expensive, but will be far more robust and reliable than this.

If you set up golfforekids.ca along the same lines you'll end up with a pretty seriously flawed and generally unreliable system. Not to mention the difficulty involved in debugging things when they go wrong.

These are the problems:

1. Name Servers listed at parent do not match Name Servers listed on responding name servers

Parent says:

 algomafamilyservices.org. 86400 IN NS ns4.everydns.net.
 algomafamilyservices.org. 86400 IN NS ns2.everydns.net.
 algomafamilyservices.org. 86400 IN NS ns1.algomafamilyservices.org.
 algomafamilyservices.org. 86400 IN NS ns3.everydns.net.

ns1.algomafamilyservices.org says:

 algomafamilyservices.org. 3600 IN NS golf.algomafamilyservices.org.
 algomafamilyservices.org. 3600 IN NS charlie.algomafamilyservices.org.

2. Lame name servers

None of the everydns.net servers respond to requests. Only ns1.algomafamilyservices.org.

3. Private IP Addresses advertised for NS records

None of your name servers list public IP addresses, they only list private IP addresses. This makes the NS record set pretty useless.

 golf.algomafamilyservices.org. 1200 IN A 10.10.0.16
 charlie.algomafamilyservices.org. 3600 IN A 10.10.0.10

4. Zone is shared with Active Directory

While this is not inherently bad it makes the configuration of the zone far more complex and exposes information you may not necessarily want to make public. For instance, I know these are your Global Catalog servers and therefore Domain Controllers:

 charlie.algomafamilyservices.org.
 golf.algomafamilyservices.org.
 wawa.algomafamilyservices.org.
 elake.algomafamilyservices.org.

5. Authoritative server responds to Recursive Queries

I mean I can do this:

nslookup www.google.com ns1.algomafamilyservices.org

This opens you up to Denial of Service attacks. This cannot be effectively restricted in MS DNS as long as the DNS service is shared.

6. Domain Name points to server outside of domain

For an AD Domain this is bad:

algomafamilyservices.org. 3600 IN A 209.105.201.195

It *must* point to your Domain Controller IP addresses if you expect Group Policy and DFS to work correctly within your organisation.

Chris
0
 

Author Comment

by:AFSTech
ID: 35199572
Interesting information. I have also noticed some of these weaknesses (like the public AD, private IP address broadcast, and the everydns issue) I will pass it along to the other IT staff.

I am the programmer here, so server management is not my area of expertise (although that knowledge is quickly increasing).

Either way, ill give this a day or two. This way we could at least get it "working". But we have also discussed getting a third party to host the DNS, but we want to save money if possible (we are a non-profit organization).
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35199674
Ah good, at least it's not your problem :)

Hosting it is understandable, it's just I believe it to be false economy unless you have existing in-house skills. While I think DNS is simple, it's also easy to get very wrong.

Anyway, please do say if you need anything else. It'll be very difficult putting it in a reliable / sane state as long as AD is in the mix. Perhaps suggest they take a look at zoneedit.com?

http://www.zoneedit.com/

They're very good, especially at the price :)

Chris
0
 

Author Closing Comment

by:AFSTech
ID: 35199829
Passed this information on to the IT who take care of our DNS. In the meantime the "2 DNS" solution is currently "working"...
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now