• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 619
  • Last Modified:

local website working outside but on in our network

Hello we have a web server here. it works on my cell phone but does not work here in the network. what and where do i have to put a dns record?
Thanks.
0
tfsaccount
Asked:
tfsaccount
  • 16
  • 13
  • 9
1 Solution
 
setasoujiroCommented:
on your local dns server
if this is a windows server
administrative tools-->dns-->new forward lookup zone-->primary zone-->your domainname.com-->
then under this zone-->new "A" record-->FQDN: www.yourwebsite.com - IP of your server
and another one for "yoursite.com"-IP of server

and make sure internal clients use internal dns
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Making some assumption here... (that your internal DNS server thinks it's authoritative for the domain in which the website resides, and from the point of view of the outside, it isn't.)

Assuming my assumptions are correct :

On your internal Windows 2003 DNS server, in the forward zone which the DNS server thinks it's authoritative for, add a static entry ('A record') for the web server name, pointed to IP address of the website.
0
 
tfsaccountAuthor Commented:
after i choose new primary zone do i choose
first second or third option?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
setasoujiroCommented:
first
0
 
tfsaccountAuthor Commented:
Works. but not right. when i made the Host (A) record for the FQDN it put my domain at the end of the string so now the site works internally if we go to the whole FQDN not just www.tfsi1.com
why is that? host (a) host (a)
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay, I'll spell other parts of my assumptions:
1. Internal clients are able to access other, external websites.
2. Your website is using a second level domain that your are also using for your internal Windows domain... and the internal machines therefore believe that your DNS server is authoritative for the domain.  They aren't GOING outside to resolve the address... unlike your cell phone, because the cell phone doesn't use your windows DNS server to resolve.

If those assumptions are true -- you don't need to create a new forward lookup zone.  Your internal clients aren't resolving the address correctly because you already have the zone that indicates it's authoritative.  You also don't want to make that zone disappear, because you are using it internally for your Windows domain.  In that case, ONLY create the new A record.
0
 
tfsaccountAuthor Commented:
Yes, That is the case. your assumptions are all right.
the only websites that internal users can't get to are ours. How do i make a record to point hrtraining.tfsi1.com to 172.17.7.69

also, the only other site they can not get to is our www.tfsi1.com but it is not hosted here. do i have to create a record for that too? as you can see i tried from the image above but that didn't work.
how do i create a record for internal users to get to www.tfsi1.com extreral ip address 12.40.84.40
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay... it looks like my previous assumptions were not valid.
If you do not have a separate forward lookup zone for tfs1.com on your DNS servers... then that domain does not believe it's authoritative.  Rather than attempt to determine how to get the local DNS server to resolve the address locally, may be troubleshoot why that server isn't responding with the correct address?

Assuming this website was a recent change, lets ensure a bad address isn't in the cache.  In the DNS management, select 'View', 'Advanced', and you should now see 'Cache Lookups'.  Drill down into that tree, and see if you can find the bad address.  You should be able to delete the entry directly from the cache that way... (without clearing all of the server cache.)
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> How do i make a record to point hrtraining.tfsi1.com to 172.17.7.69

In the forward lookup zone for tfsi1.com, (at the very top of that part of the zone... not in one of the 'subdirectories') add an A record for hrtraining, with a value of 172.17.7.69.

What you have in the attached screen shots is a 'fsgdmn.local' zone.  If you put something under the root of that it would be 'something.fsgdmn.local'... if you put it in the com subdomain under that... it would be 'something.com.fsgdmn.local'... and if you put it in the tfsi1 subdomain you get what you have above.

Do you have a forward lookup zone for tfsi1.com that doesn't appear in the screen shot above?
0
 
tfsaccountAuthor Commented:
no i do not have a tfsi1.com forward look up zone. should i make one like setasoujiro first said?

thakn you again for sticking w/ me on this...
0
 
tfsaccountAuthor Commented:
But i think it has to be a secondary zone. not primary.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Oh... one additional thing... which may confuse when you start hitting addresses from the browser.
In some cases... what you have above might work for workstations in your domain, but let me explain what may also be happening.

If your windows domain is using fsgdmn.local as it's domain... when you attempt to resolve an address... if Windows can't resolve... it will attempt to append your domainname to the address it is attempting to resolve.  So... if you type in www.tfsi1.com , and windows isn't able to resolve... it may try www.tfsi1.com.fsgdmn.local... which it might be able to resolve.  I assume that it why you have an 'intranet' entry in there as well.

You can test this from your workstation... assuming 'intranet.tfsi1.com' works for you.  Visit that site from your workstation (which I assume will direct you to 172.17.7.229.  From the CMD prompt on that machine, type 'ipconfig /displaydns', and look for the address.... which under the record name, show you the FQDN.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If you don't have a tfsi1.com forward lookup zone, and you aren't prepared to work with the folks who have the DNS server to do zone transfers to receive a secondary zone from them -- I would strongly advise against creating a new secondary zone just to add this address.  You will end up in a bad place as far as attempting to resolve correct addresses for that zone going forward.  (That is, unless you find the reason addresses in that domain aren't being resolved correctly, and it is for a very good reason...)
0
 
tfsaccountAuthor Commented:
for hrtraining.tfsi1.com which in an internal website we can't get..
browse to it via IP address (works)
did an ipconfig /displaydns

for hrtraining.tfsi1.com
Name does not exist
0
 
tfsaccountAuthor Commented:
ok, i won't create a secondary zone... but still can't figure out how to get 172.17.7.69 to point to hrtraining.tfsi1.com (internal server)
currently it is pointed to hrtraining.tfsi1.com.fsgdmn.local and that works for the site on the webserver 172.17.7.69

is this set up wrong? how do i get the local domain out of here? tfs
0
 
setasoujiroCommented:
just add an A record for that under the right zone in dns
0
 
setasoujiroCommented:
you are doing it wrong,
right click on forward lookupzones-->new zone-->make a zone "tfsi1.com"
then add an A record under THAT zone
0
 
setasoujiroCommented:
NOT under .local
0
 
tfsaccountAuthor Commented:
@setasoujiro didn't Razmus just say her would strongly recommend not doing that?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Okay... one more thing to try before we get into tracing down where things are broken:

Within the DNS Console, right click the server name, and select properties, and check the forwarders tab.  Make certain you don't have a specific entry for the DNS domain tfsi1.com already.  And if there IS an entry, make certain it doesn't point to a broken DNS server.  (Well... i guess make certain it's there...)  But if it isn't... one sec, and we'll trace this down.
0
 
tfsaccountAuthor Commented:
her *they
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
@setasoujiro -- _I_ can resolve hrtraining.tfsi1.com to 63.174.109.163.
If tfsaccount sets up a new zone for tfsi1.com ... and isn't REALLY prepared to keep the entries up to date... he's asking for trouble down the line.
0
 
setasoujiroCommented:
why shouldn't he?
0
 
setasoujiroCommented:
ok then....
0
 
tfsaccountAuthor Commented:
What if hrtraining.tfsi1.com to 63.174.109.163 never changes?
0
 
setasoujiroCommented:
then please follow the things i said...
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If you add the zone 'tfsi1.com'... and hrtraining never changes... than that address would work.
But if the administrator for the zone adds 'newfunctionwebsite'.tfsi1.com ... you won't be able to resolve that address.
I'd encourage you to determine why tfsi1.com addresses aren't resolving... troubleshooting procedure next...
0
 
tfsaccountAuthor Commented:
here is what the the forwarders tab looks like. it only has our ISP dns addresses in there. and check the forwarders tab
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
The first entry is for Sprint's DNS... I assume you aren' otherwise having a resolution problem.

Rather than creating a new zone -- under forwarders, try adding a New forwarder for tfsi1.com
Under than entry, try IP address for 205.178.190.52 and 205.178.188.52

Those are the NS for srsplus.com which report that they ARE authoritative for the tfsi1.com domain.
0
 
tfsaccountAuthor Commented:
I think i am having a resolution problem. even some emails are not working but that could be a whole different issue in its own.
0
 
tfsaccountAuthor Commented:
so now hrtraining.tfsi1.com is working on the DNS server but not on my computer.
i did a flush dns and still noting.
it tells me if could not find host ping
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
This is why I don't recommend creating zones without coordination and having DNS servers report they are authoritative when they aren't.

The first entry on your DNS list is 206.228.179.10
It reports:
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20693
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tfsi1.com. IN A
;; ANSWER SECTION:
www.tfsi1.com.       86400       IN       A 12.40.84.40      
;hrresources.tfsi1.com. IN MX
;; AUTHORITY SECTION:
tfsi1.com.       86400       IN       NS ns1-auth.sprintlink.net.      
tfsi1.com.       86400       IN       NS ns2-auth.sprintlink.net.      
tfsi1.com.       86400       IN       NS ns3-auth.sprintlink.net.

tfsi1.com.       86400       IN       MX 10 mail.global.frontbridge.com.
tfsi1.com.       7200       IN       SOA ns1-auth.sprintlink.net. dns-admin.sprint.net. 2004072301 43200 3600 2419200 7200

So -- it would seem to be saying that sprintlink.net name servers are authoritative.
------
Internic reports:
   Domain Name: TFSI1.COM
   Registrar: TLDS, LLC DBA SRSPLUS
   Whois Server: whois.srsplus.com
   Referral URL: http://www.srsplus.com
   Name Server: NS1-HOSTS.SRSPLUS.COM
   Name Server: NS2-HOSTS.SRSPLUS.COM
(And be aware... the expiration on that domain is    Expiration Date: 29-may-2011 !!! Just a couple weeks.)

-----
the SRSPLUS.COM name servers report:
;; ANSWER SECTION:
www.tfsi1.com.       3600       IN       A 65.162.244.77      
;; AUTHORITY SECTION:
tfsi1.com.       172800       IN       NS ns1-hosts.srsplus.com.      
tfsi1.com.       172800       IN       NS ns2-hosts.srsplus.com.
tfsi1.com.       3600       IN       SOA ns1-hosts.srsplus.com. hostmaster.srsplus.com. 1268676666 10800 3600 604800 86400
tfsi1.com.       3600       IN       MX 10 mail.global.sprint.com.
----

Once again... this specifically why I don't recommend creating zones when you aren't really authoritative... it causes troubleshooting hell.

The 'quick-fix' is to add the forwarder specificially for tfsi1.com as I recommend above.  If you are responsible for the domain, there may be some coordinating of cleanup...
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I assume the ping screen shot is from the DNS server.  It's resolving hrtraining.tfsi1.com as hrtraining.tfsi1.com.fsgdmn.local.

(which srsplus says should be:
hrtraining.tfsi1.com.       3600       IN       A 63.174.109.163
And sprintnet reports it doesn't have an entry for... but it says it's authoritative.)
0
 
tfsaccountAuthor Commented:
right. the ping resovling the hrtraining.tfsi1.com.fsgdmn.local is from the dns server.
but its not doing that on my computer and i have manually put in the dns server address in my nic card settings.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If it's not working from your workstation, it's not walking thru your domain suffix.  (There is a specific term, that is escaping me at the moment.)

If you workstation is joined to the fsgdmn.local domain -- double check that in your TCP/IP, DNS settings, that you have the option selected to appending the parent suffixes.

But going back to: why your phone is able to resolve the address and folks inside your domain are not -- it's that first DNS server that your local DNS server uses as a forwarder.  Did you try putting in a separate forwarder specifically for tfsi1.com?
0
 
tfsaccountAuthor Commented:
Not sure if this is the BEST way to fix this issue. But it did work after flushing the dns on server and computer
0
 
tfsaccountAuthor Commented:
This is what i did. Thank you guys for your help! dns
0
 
setasoujiroCommented:
no prob, as i said this would be the easiest way, just remember to add/update information in dns whe you change things for that domain name
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 16
  • 13
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now