Resolve Internal address with Public DNS

Posted on 2011-10-13
Last Modified: 2012-05-12
Server on Internal Network:
Private IP:
Public IP: SNAT to Internal through firewall.

Users need access publicly and privately using PDA's, laptops and desktops. The issue I am running into is via my employee WiFi. WiFi is setup to assign the user to a different VLAN in order to completely isolate WiFi traffic from my Corporate network. The DHCP scope for my WiFi VLAN assigns public DNS servers for name resolution. serverA has a public DNS record which points to the address which is NAT'd through my firewall. What is obviously happening on the WiFi is that users are hitting the public DNS record and having to make a hairpin turn to come back in the firewall. This isn't working very well and they are getting an error stating the server can't be reached. How do I handle this? There has to be some way to establish either a route or something for a hairpin turn of this nature.
Question by:Haze0830

    Expert Comment

    Is your DNS server accisble from a machine outside the company.

    If that is so then external machine is accessible from external machines.  
    I would add appropriate rules to your switch/router that connects to the wireless network to  allow dns lookup directly to dns server and point all your WiFi to the servers internal address.  

    Better solution:
    Build an infrastructure Bastion Host to sit on wireless network with one interface and the other interface in the appropriate security zone.  You can lock it down to handle things like DNS/NTP and your wirless clients can use that.
    LVL 2

    Accepted Solution

    No. And I don't particularly like for my DNS servers to be accessible from the outside. I prefer to just use forwarders to my ISP's DNS servers. My public records are maintained on my web-hosts name servers.

    I got it figured out though. SNAT Loopback. I had to add a route in my firewall via a Policy get the traffic routed correctly. It was actually pretty easy once I got on Watchguard's forums and discovered that this seems to be a common problem. I had never even heard of SNAT Loopback until now.
    LVL 2

    Author Closing Comment

    Resolution in comments. Figured this out on my own.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Let’s list some of the technologies that enable smooth teleworking. 
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now