• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5319
  • Last Modified:

Internal users can't access external website with same domain name

Hi Folks.  Here's the deal...

Internal domain is named the same as external domain <mydomain.org>
www.mydomain.org is hosted at godaddy.com
mail.mydomain.org is hosted internally.
Windows server 2008 running Exchange 2007 & IIS7.  This is also a domain controller.
Internal users hit www.mydomain.org and get the blue IIS 7 page External users have no issues accessing.
A record in internal DNS server points www to external website IP address.
2nd domain controller across town connected via sonicwall VPN also has an A record entry for www pointing to external website IP.

the only internal webhosting we're doing is outlook web access.  Can anyone tell me how I can fix this so internal clients can see the externally hosted website?

1 Solution
Brad HoweDevOps ManagerCommented:
Having an Internal Domain the same name as the External domain is called a split DNS setup. If this is true, you will need to create a www A RECORD under a forward lookup zone for mydomain.org.

validate this asumption
     nslookup www.domain.org    Does this yield your WAN IP or Local IP of you DC?

If so, this will be a Forward lookup A Record in your local Domain zone. To create a host or "A" record:

1. Start the DNS snap-in.
2. Click the DNS Server object for your server in the left pane of the console, and then expand the server object to expand the tree.
3. Expand Forward Lookup Zones.
4. Under Forward Lookup Zones, right-click the zone that you want (for example, mydomain.org), and then click New Host (A).
5. In the Name (uses parent domain name if blank) box, type the name of the host that you want to add.
   For example, if you want to add a host record for a Web server, type www. And In the IP address box, type the IP address
   of the host that you want to add. For example, type

6. Select the Create associated pointer (PTR) record check box, and then click Add Host. You receive a message similar to the following:
7. The host www.mydomain.org was successfully created.
8. Click OK.

DNS lookup check
 1. Open CMD and run the following
     nslookup www.domain.org    Should return your local webserver IP

Let us know,
RJ_EmmettAuthor Commented:
I have a DNS A record entered www points to the external IP of the ISP.  nslookup comes back with the proper external ip address.  So does pinging www.mydomain.org.

I don't have any reverse DNS zones created.  Should I?
Brad HoweDevOps ManagerCommented:
You need to create a forward lookup zone regardless. - Hades666
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

RJ_EmmettAuthor Commented:
I have forward zones.  no reverse zones.  
Brad HoweDevOps ManagerCommented:
Ok,  If that is the case, what does NSLOOKUP return.

CMD> nslookup www.domain.org 

1. Internal IP
2. External IP
3. Local DC IP

What is your website Bindings setup as?

Sometimes you can get away with this by editing your hosts file (c:\windows\system32\drivers\etc\hosts) and create an entry so that the FQDN of the external website resolves to the EXTERNAL Web IP address. Start by pinging www.yourdomain.com from a pc outside of your network. Record the WAN Ip result. Then use notepad to edit the hosts file and add an entry:

x.x.x.x       www.yourdomain.com

Save the host file, then try hitting the site internally. IF this works, you can copy the hosts file to each workstation, or create DNS A Record Entry on your DNS server.

If this does not work, let me know I will give you plan B which is more complicated and involves creating a Static Route on your firewall/router device.

RJ_EmmettAuthor Commented:
I'll check the nslookup info tomorrow morning and report back.  Should I be running the nslookup internally or externally?

Brad HoweDevOps ManagerCommented:
Internally as the issue is with your internal DNS resolution.

Best Regards,
amatson78Sr. Security EngineerCommented:
Create a loopback for the server, a lot easier on you.
RJ_EmmettAuthor Commented:
OK, so I did nslookup www.mydomain.org and the results came back like this...

Server:  localhost
Address:  ::1

Name: www.mydomain.org
Address:  123.456.789.101   <not my real IP address, but results came back with external IP

Now here's another wrinkle.  I noticed that the web design guy has the external IP pointing to the root of the domain.  So when I hit www.mydomain.org externally the URL switches to http://mydomain.org

So from my understanding it sounds like the web design guy installed the website (cpanel) into the root of the domain, thus causing all these issues.

Does that sound like a likely reason to why the internal clients can't access the external domain?  If so what do I do?  Can I create another A record internally that points the root domain (mydomain.org) to the external IP?  Would that blow up my MX record which points mail.mydomain.org to my internal server?

RJ_EmmettAuthor Commented:
I still haven't resolved this and could use some more help if not a lot more brain power here.

Is there a way to forward my internal IIS7 server's www.mydomain.org site to an external IP address?  I already have the DNS A record entry in my DNS server and on Godaddy's dns manager.  Since the internal users are still getting an IIS7 splash screen when they hit the www.mydomain.org I'd like to know if any of you guys know how to install a forwarder in IIS7.  I think that will fix it, but I don't know how to do it.

Or do you guys think I'm going in the wrong direction?
RJ_EmmettAuthor Commented:
I found the fix for this...

The website was created in WordPress.  The Word Press designer had set the website root address to mydomain.org NOT www.mydomain.org.  So, when external users hit www.mydomain.org it would repoint to mydomain.org on the Godaddy server.  internal domain users would get the IIS7 screen.

This is because both my internal domain server and godaddy's name servers thought they were the SOA and would direct .mydomain.org traffic to their own dns servers.  So, internal users were hitting www.mydomain.org and my internal server was saying "oh, that's right here" instead of going out of my domain to godaddy. Even DNS entries on my local server weren't fixing the issue.

Here's the fix:  login to your wordpress site and then on the left hand side of the site expand "settings" and click on "general".  Change the "WordPress Address URL" and "Site Address URL"  from http://mydomain.org to http://www.mydomain.org.  Then click "save changes".  Blow away your cache and try hitting the website.

Hope that helps someone!!

RJ_EmmettAuthor Commented:
See my note above

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now