Cannot see public domain from linux host on SBS domain

I have 2 linux hosts on a LAN: webserver, ohprsstorage. The SBS2008 domain controller is also the LAN DNS server. The local Windows domain name is hprs.local. The public domain is ohprs.org. The domain controller's LAN IP Is 192.168.0.2. Both Linux hosts have this IP configured in the /etc/resolv.conf file.

On Linux host ohprsstorage, I can look up linux host webserver on the local domain:

 $ nslookup webserver
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.hprs.local
Address: 192.168.0.3

$ nslookup webserver.hprs.local
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.hprs.local
Address: 192.168.0.3

However, I cannot look up the webserver's public FQDN:

 nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

** server can't find webserver.ohprs.org: NXDOMAIN

If I specify an external DNS (not the domain controller) I can look up the public FQDN:

nslookup webserver.ohprs.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   webserver.ohprs.org
Address: 64.129.23.95

I can also successfully do this from any external host (which the reader can verify). What is wrong? Why can my linux hosts *NOT* lookup the ohprs.org public domain? I'm suspecting a problem with the SBS2008 DNS server setup as I believe it must be its job to resolve these domain names.
LVL 1
MarkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaSr IT Support EngineerCommented:
This is called split DNS...you'll need to add an A record in the SBS DNS server to point to webserver.ohprs.org with the internal IP of 192.168.0.3

So when you are inside the network you get to the FQDN via an internal IP and when external it comes in via the public IP

It's generally NOT recommended to host your public website internally,   At least not on the same subnet as the business network.   Too easy to hack and gain access to your domain controller and all your business data.
0
MarkAuthor Commented:
CrisHanna, thanks for the response. There *is* an A record on the SBS DNS for webserver (see image) for IP 192.169.0.3. Are you saying I need another A record for webserver.ohprs.org?

There are two public hosts for domain ohprs.org: mail.ohprs.org which is the SBS 2008 server (and despite its hostname does not handle incoming mail), and webserver.ohprs.org. Both of these have A records at Network Solutions.

As stated in my initial post, another LAN Linux host, ohprsstorage cannot find webserver.ohprs org:

$ nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

** server can't find webserver.ohprs.org: NXDOMAIN

Yet it *can* find mail.ohprs.org:

nslookup mail.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   mail.ohprs.org
Address: 192.168.0.2

Why can it find the one, but not the other? If I have to create another A record for webserver.ohprs.org. I'll be happy to do that. I'm just trying to understand the "why".

> It's generally NOT recommended to host your public website internally, At least not on the same subnet as the business network.

The website is a portal and needs access to the database server for public (but member's only) database queries and updates. No choice about that. I think the firewall on the webserver is pretty robust -- only necessary ports are opened and I have scripts that check for attempted break-ins and block the offending IPs. We do get several hundred attempted break-ins per month, mostly from China.
DNS-Arecord.jpg
0
Cris HannaSr IT Support EngineerCommented:
Looking at the screen shot that you have for your dns server, you have a zone for mail.ohprs.org and you have a zone for ohprs.org

I can't imagine why you have those two zones in addition to the hprs.local, as that is not standard.  And since I can't see those two zones expanded, it's hard to know what's in there to be able to explain what is happening

The webserver record you have circled is for the hprs.local domain  not the ohprs.org domain
0
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

MarkAuthor Commented:
The first attached image has the expansions for the mail.ohprs.org zone and the ohprs.org zone. I can't say that I recall setting any of this up by-hand.  

The ohprs.org expansion shows two of the hosts in the ohprs.org domain with public IP's. I'm guessing that these are automatically updated from the up-stream DNS originating from Network Solutions? See 2nd attached image for all A records at Network Solutions for this domain. The host named "phonetree" is a Windows XP computer located in the same building, but not physically connected to the office LAN and is not part of the Windows SBS 'domain' (no Active Directory, etc.) Likewise, the host labeled 'www' is the Linux webserver (webserver.ohprs.org / webserver.hprs.local) which is physically connected to the SBS LAN, but no Active Directory, etc.

Indeed from within the LAN I can ping/nslookup www.ohprs.org (which is in the ohprs.org zone), but cannot ping/nslookup webserver.ohprs.org - which is listed at network solutions, but is not it the SBS DNS ohprs.org zone. From external computers (not using 192.168.0.2 as the DNS server), I *can* ping / nslookup webserver.ohprs.org.

So, I'm coming to the conclusion that if an IP has multiple FQDNs, the SBS DNS will only register one of them. Thus, it is snagging www.ohprs.org from Network Solutions, but not webserver.ohprs.org. Does that seem correct?

That conclusion is reinforced by the absence of bu6500.ohprs.org. The host 64.129.23.99 actually hosts multiple domain hosts including mail.courtscan.com.

So, is this SBS DNS setup WRONG and if so, how do I fix it? How do I get the ohprs.org zone to cache multiple names for the same IP?
ohprsZones.jpg
networkSolution.jpg
0
Cris HannaSr IT Support EngineerCommented:
You're SBS server DNS should not be getting any kind of replication from Network Solutions.   It is not listed as one of the authoritative DNS servers for ohprs.org  Network solutions is providing all that functionality.   I'm attaching a picture of my DNS forward lookup zones.   I was incorrect about the mail.ohprs.org not supposing to be there..it is and it is created by the "Setup your Internet Address" wizard, but notice that it points to a local IP, as it does in your setup.

You have two options to fix your issue.
1.   Add an A record called webserver under ohprs.org zone and point it to the internal IP (just like mail.ohprs.org is)
OR
2.   remove the JUST the ohprs.org zone from your SBS server and then at a command prompt run IPCONFIG /flushdns on both the servers and workstations and then reboot

With option number to, when internal users try to go to webserver.ohprs.org nothing, that zone does not exist and the server will send the request out to public DNS servers which will find the record for webserver.ohprs.org  pointing to the public IP

The DNS server in SBS was intended to act as an "authoritative" DNS server for public domains.

Either option will get you there.
sbs-dns.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkAuthor Commented:
It looks like your option 1 did the trick. I added an A record for webserver to the ohprs.org zone (see image). Now, the linux host ohprsstorage can find its neighbor webserver:

> nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.ohprs.org
Address: 192.168.0.3

 I think that takes care of that problem. Thanks.
webserverArecord.jpg
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.