• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Can't access our external web site from 1 of our locations

We have 3 separate locations not linked in any way.  From our LA office we were unable to access our own web site.  spcala.com and secure.spcala.com.  IP address for both is 208.94.246.30.  
I had a DNS support person help me figure out why.  We never did figure out why, but he did solve the issue.  
He added a Host (A) record for both entries to the DNS server.  After that we could access the sites.  
The difference in DNS between the 3 locations is in the attachment.  I don't know why LA has the two additional forward lookup zones.  They were created by a company I fired.

Any ideas what is wrong?
DNS-LA.jpg
0
J.R. Sitman
Asked:
J.R. Sitman
  • 5
  • 5
2 Solutions
 
John JenningsOwnerCommented:
Are you hosting the website or ANYTHING related to those domain names on that server?

If you are 100% COMPLETELY POSITIVE, then you can delete those zones.

I can't tell you why they created them, but I can tell you what they're there for.

When you create a forward lookup zone in a Windows DNS Server, it will, by default, act 'authoritative' for that zone. What this means is that server will act as the primary DNS server for that zone. If the IP addresses/DNS records for that zone are obsolete, you'll see problems like what you've experienced.

In general, you should only have zones defined that you are actually operating services on.

If you need more detail or explanation, let me know and i'll be happy to break it down further for you.
0
 
John JenningsOwnerCommented:
I also noticed, looking at a few of your entries, that you have exchange and owa defined. It also appears as though those IP addresses are internal to your network, is that correct?

If so, the reason that those zones exist is so that name resolution for exchange.spcala.com works inside your network. Normally for a split-DNS network like you have (I can tell by the .corp) the Exchange server is configured to use its internal DNS name when a client connects to it.

External resolution names should be defined outside of a network (usually through a domain provider like GoDaddy) - and the appropriate firewall holes should be opened to route those services securely into your network.

Just something else I noticed. :)
0
 
J.R. SitmanIT DirectorAuthor Commented:
I do recall something about them trying to access the owa from within.  I'll make a screen shot of the two zones and delete them.  Then I can add then back if necessary.  Sound ok?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
John JenningsOwnerCommented:
Sounds good. Just be prepared to hear users complain about their Outlook losing connection to Exchange! :)

If something does break, we can definitely put the zones back in and fix the issue for the time being, but we're going to want to make a plan about how you can resolve your DNS routing issues permanently.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Now I'm concerned.  Does one of those zones gives us access to our internal Exchange server?  If it's internal why would we need this?
0
 
J.R. SitmanIT DirectorAuthor Commented:
What I'm asking is why would we need the other zones?
0
 
John JenningsOwnerCommented:
Okay, as simply as I can put it...

You don't need the other zones. That's not necessary for your configuration, had it been set it up correctly. Your internal users should be accessing the Exchange server with its internal name *.corp. I can't tell you whether or not this is how your environment is set up. The reason I warned you is because if they're using the external name internally as it appears they might be, you might experience an interruption to your users.

The only reason you would need those external *.com zones defined is if your DNS servers were acting authoritatively for those zones (i.e. - your DNS servers were acting as the primary resolving servers for that zone for the entire internet) OR if you were doing some kind of DNS spoofing for your internal users (making records resolve for users internally while appearing as though it is internet traffic by its name - most users dont know the difference)
0
 
J.R. SitmanIT DirectorAuthor Commented:
I deleted the two zones before the users got to work and "zero" problems.  So you were correct.
0
 
John JenningsOwnerCommented:
Glad I could help!
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now