Creating a DNS entry for a web site on the DMZ of the firewall

JPD153 used Ask the Experts™
I have a zone file entry for "" poinnting to an external IP on my firewall.
The server has an internal IP on the DMZ side of the firewall.
The site is accessible by all users on the WAN.
However all users inside the LAN portion of the network can only access it by using the IP address instead of the url.
I understand that I need to create an internal DNS entry in my SBS 2003 server to allow for this but have no idea how.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You need to create a zone in the SBS DNS for the external domain name, and just add the single host.
Leon FesterSenior Solutions Architect

You need to create a split DNS zone or a Pin-point zone on your DNS Server.

Taken from:
Pin-point internal zone   If creating an entire zone in the internal DNS is not an option, you can create pin-point (that is, dedicated) zones that correspond to the SRV records that are required for automatic configuration, and populate those zones using dnscmd.exe. Dnscmd.exe is required because the DNS user interface does not support creation of pin-point zones. For example, if the SIP domain is and you have a Front End pool called pool01 that contains two Front End Servers, you need the following pin-point zones and A records in your internal DNS:

Zone files is not a common terms used by Windows Engineers.
So I'm guessing that it's an external zone or non-microsoft DNS server?

Is your SBS server currently your DNS server for your domain?
Then run the following commands:
dnscmd . /zoneadd <<FQDN of website>> /dsprimary
dnscmd . /recordadd <<FQDN of website>> . @ A <<ipaddress>>
N.B. In the 2nd command, the . [fullstop/period] after <<FQDN of website>> is required.

VERY N.B. Always make a backup of your DNS zones before making any changes.
dnscmd . /zoneexport <<ZoneName>> <<FileName>>


The zone files are hosted at our ISP and all is fine there.
I just need to create an entry (I think) in my sbs 2003 DNS to point to this addtional web site which is not a primary location. It is on a different IP segment (DMZ) than my internal domain where I do not want to change anything.
My internal domain is on 192.168.10.xx the web server is on 192.168.0.xx
Where in the DNS tree do I need to enter the pointer ?
There are two ways to accomplish this - and you've already mentioned one of them; creating an "internal" A record for the website. I'll explain the basics of that, but first, let me suggest an alternative:

"DNS Doctoring" - which is a term used often by Cisco/Juniper - or "NAT loopback" which is a term used often by Watchguard.

Essentially, what they do is wuite simple and can save you a ton of time. The only question is whether your firewall supports it, and many 'current' models of small/medium business firewalls do.

On the firewall, find the NAT statement or NAT setup that you have created for your webserver. This is the IP address pair that binds your web server's external, or public IP address with your web server's real, internal or private IP address. If "DNS Doctoring" or "Nat Loopback" is supported, you should be able to insert/add an option for it there on the NAT statement or object. In Cisco syntax, the NAT statement would be similar to this:
static (Inside,Outside) webserver-outsideIP webserver-insideIP DNS

Open in new window

THe magic word "DNS" on the end of that statement makes it all possible to browse the web sites on that web server internally; even though we're using the External URL (i.e.

I'm suggesting this method first, because it is significantly easier to setup and maintain than DNS zone file. Once you go down the road of setting up a DNS zone file to represent your public domain, you'll have to administer and maintain it indefinitely. To many, this is no big deal, and the best way to go. I'm just suggesting that for you, there may be an easier solution, as I explained above.

Here are examples of this firewall approach - using Cisco or Watchguard - but other makes and models do it too:

Watchguard:|StartTopic=Content%2Fen-US%2Fnat%2Fnat_loopback_c.html|SkinName=WSM (en-US)


As far as hosting your own private DNS zone file for your public domain; pick your internal DNS servers; the ones your company use normally. These may be Active Directory DNS servers, or Linux/Unix BIND servers. In those servers, are configuration files and possibly graphical interface tools to manage those DNS configurations. You will use them to create a new "zone file", named specifically after your root domain name of your public website. For example, if your website is:   then your zone file wil be:  Following are two starting points for creating DNS zone files; one for Windows and one for Linux. I realize you have SBS 2003, but still - some folks run BIND DNS servers just the same.

Microsoft Windows (and SBS) 2003:



I did use the firewall method by creating a loopback and all is fine now.
This was the easiest way and I do not feel confident mucking with my DNS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial