Avatar of Mark
Mark asked on

Cannot see public domain from linux host on SBS domain

I have 2 linux hosts on a LAN: webserver, ohprsstorage. The SBS2008 domain controller is also the LAN DNS server. The local Windows domain name is hprs.local. The public domain is ohprs.org. The domain controller's LAN IP Is 192.168.0.2. Both Linux hosts have this IP configured in the /etc/resolv.conf file.

On Linux host ohprsstorage, I can look up linux host webserver on the local domain:

 $ nslookup webserver
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.hprs.local
Address: 192.168.0.3

$ nslookup webserver.hprs.local
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.hprs.local
Address: 192.168.0.3

However, I cannot look up the webserver's public FQDN:

 nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

** server can't find webserver.ohprs.org: NXDOMAIN

If I specify an external DNS (not the domain controller) I can look up the public FQDN:

nslookup webserver.ohprs.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   webserver.ohprs.org
Address: 64.129.23.95

I can also successfully do this from any external host (which the reader can verify). What is wrong? Why can my linux hosts *NOT* lookup the ohprs.org public domain? I'm suspecting a problem with the SBS2008 DNS server setup as I believe it must be its job to resolve these domain names.
SBSLinux Networking

Avatar of undefined
Last Comment
Mark

8/22/2022 - Mon
Cris Hanna

This is called split DNS...you'll need to add an A record in the SBS DNS server to point to webserver.ohprs.org with the internal IP of 192.168.0.3

So when you are inside the network you get to the FQDN via an internal IP and when external it comes in via the public IP

It's generally NOT recommended to host your public website internally,   At least not on the same subnet as the business network.   Too easy to hack and gain access to your domain controller and all your business data.
ASKER
Mark

CrisHanna, thanks for the response. There *is* an A record on the SBS DNS for webserver (see image) for IP 192.169.0.3. Are you saying I need another A record for webserver.ohprs.org?

There are two public hosts for domain ohprs.org: mail.ohprs.org which is the SBS 2008 server (and despite its hostname does not handle incoming mail), and webserver.ohprs.org. Both of these have A records at Network Solutions.

As stated in my initial post, another LAN Linux host, ohprsstorage cannot find webserver.ohprs org:

$ nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

** server can't find webserver.ohprs.org: NXDOMAIN

Yet it *can* find mail.ohprs.org:

nslookup mail.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   mail.ohprs.org
Address: 192.168.0.2

Why can it find the one, but not the other? If I have to create another A record for webserver.ohprs.org. I'll be happy to do that. I'm just trying to understand the "why".

> It's generally NOT recommended to host your public website internally, At least not on the same subnet as the business network.

The website is a portal and needs access to the database server for public (but member's only) database queries and updates. No choice about that. I think the firewall on the webserver is pretty robust -- only necessary ports are opened and I have scripts that check for attempted break-ins and block the offending IPs. We do get several hundred attempted break-ins per month, mostly from China.
DNS-Arecord.jpg
Cris Hanna

Looking at the screen shot that you have for your dns server, you have a zone for mail.ohprs.org and you have a zone for ohprs.org

I can't imagine why you have those two zones in addition to the hprs.local, as that is not standard.  And since I can't see those two zones expanded, it's hard to know what's in there to be able to explain what is happening

The webserver record you have circled is for the hprs.local domain  not the ohprs.org domain
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Mark

The first attached image has the expansions for the mail.ohprs.org zone and the ohprs.org zone. I can't say that I recall setting any of this up by-hand.  

The ohprs.org expansion shows two of the hosts in the ohprs.org domain with public IP's. I'm guessing that these are automatically updated from the up-stream DNS originating from Network Solutions? See 2nd attached image for all A records at Network Solutions for this domain. The host named "phonetree" is a Windows XP computer located in the same building, but not physically connected to the office LAN and is not part of the Windows SBS 'domain' (no Active Directory, etc.) Likewise, the host labeled 'www' is the Linux webserver (webserver.ohprs.org / webserver.hprs.local) which is physically connected to the SBS LAN, but no Active Directory, etc.

Indeed from within the LAN I can ping/nslookup www.ohprs.org (which is in the ohprs.org zone), but cannot ping/nslookup webserver.ohprs.org - which is listed at network solutions, but is not it the SBS DNS ohprs.org zone. From external computers (not using 192.168.0.2 as the DNS server), I *can* ping / nslookup webserver.ohprs.org.

So, I'm coming to the conclusion that if an IP has multiple FQDNs, the SBS DNS will only register one of them. Thus, it is snagging www.ohprs.org from Network Solutions, but not webserver.ohprs.org. Does that seem correct?

That conclusion is reinforced by the absence of bu6500.ohprs.org. The host 64.129.23.99 actually hosts multiple domain hosts including mail.courtscan.com.

So, is this SBS DNS setup WRONG and if so, how do I fix it? How do I get the ohprs.org zone to cache multiple names for the same IP?
ohprsZones.jpg
networkSolution.jpg
ASKER CERTIFIED SOLUTION
Cris Hanna

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Mark

It looks like your option 1 did the trick. I added an A record for webserver to the ohprs.org zone (see image). Now, the linux host ohprsstorage can find its neighbor webserver:

> nslookup webserver.ohprs.org
Server:         192.168.0.2
Address:        192.168.0.2#53

Name:   webserver.ohprs.org
Address: 192.168.0.3

 I think that takes care of that problem. Thanks.
webserverArecord.jpg