• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

Web site access from an internal network

Ok, I am having an issue, as always I am having to fix someone else's doings when it comes to this network.

Problem, the company recently purchased the support of an outside vendor to create and maintain the new website.  So now the internal network is no longer hosting the website.

So the next step I had to do was to have the two A records changed to the new external IP address, great and the website is up and running from the external side.

You are able to access the website from everywhere across the internet, just not from the internal network.

Now here is where the problem gets interesting:

1. In the DNS Zones, the zone for that particular zone exists inside of the domain tree structure.  The original records for the xyz.com and the www.xyz.com were deleted from the DNS zone.

So I have that DNS structure
XYZDC1, Forward look up, we then have XYZ.corp which is the main local domain, then there is the XYZ.com zone.

I have searched all over the internet for possible solutions.  I have even gone into that particular zone and created an A record for XYZ.com to point to the new external IP address,
restarted DNS, flushed, and registered and cleaned the cache, but still unable to access the website from the inside.

Now for a simple work around in the DHCP server scope so that everyone could access the website, and it has allowed me some time to get this resolved, I added the Google DNS server as the main DNS server, and all of our servers as secondary.

My thought is to delete that particular zone all together.

But would like some input before i do this, or if there is a better solution to this mess, that was thrown in my lap.
  • 4
  • 2
3 Solutions
Let me see if I'm understanding your situation.  Let me know if any of the following are incorrect.
-In DNS you have two forward lookup zones, one for xyz.corp, and one for xyz.com.
-Your AD domain is xyz.corp

What records are present in the xyz.com zone?  Is there such an AD domain in your organization?  Do you need to resolve both "xyz.com" and "www.xyz.com" to the website?

Having Google's DNS server assigned as preferred DNS for clients will cause issues when trying to resolve any internal names.
ttornoAuthor Commented:
Oh, I know oh to well the ramifications for using the Google DNS server as a primary server on a domain environment, but because this is all Hodge podge of a setup, I am the one who has to fix the issues.  The external was only a temporary fix so that certain people could access the website internally that day.  It was just to buy me a few more hours to solve.

the www.xyz.com zone in DNS structure does not need to resolve anything to the outside world anymore.  I went in earlier this evening and deleted 6 records out of the particular zone.  I waited an hour to make sure DNS internally replicated properly, and no errors were found.

So then around an hour before I was done for the day, I paused that particular zone all across the domain, and made sure nothing stopped internally.

And with a test PC, I use the Primary AD/DC as the main DNS server, and was still unable to resolve the website internally.

What strikes me as funny, if I remove the external Google DNS server from the DHCP server and restart all the services and flush everything out, every PC that is not a member of the domain, but connected to the internet, these machines are able to access the website.

The sad thing is I only have so much time during the day to work on this issue, before I get pulled off to work on other "Fires" for the customer base.

I have checked both firewall appliances, and even had one of the remote support monitor the traffic to see what they could see.  So with the www.xyz.com zone paused and not replicating across the domain, I should be able to focus a little bit more attention to the issue.

The two Host records have been changed to point from our external IP address to the Hosting site's external IP, and if you do a DNS look-up you see the correct IP address.
So you're saying the zone is "www.xyz.com" and not "xyz.com"?  If you could provide a screenshot that could clear up any confusion.

Pausing a zone won't allow the request to be passed on to other servers in the same way that would occur if the zone didn't exist.

Removing the unneeded zone is probably the right course, but I'm not saying it yet because of my confusion on what is currently in place.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

ttornoAuthor Commented:
Thank you guys for all of your input, the problem has been solved.

The problem was I inherited this bazaar network, that was not properly taken care of, so everything was built upon what the last guy did, and nothing was ever done to straighten the entire mess out.

 So here goes the solution:

The internal DNS zone was xyz.corp  the main zone for the entire company, and the secondary zone of xyz.com.

So yesterday I went through both zones with a fine tooth comb, and noticed several duplicate A records one in each zone.  Well the zone I was wanting to delete I made sure to delete several of the A records, and then wait for replication.  Nothing stopped, which was a major relief.  So this morning I made sure I had a good solid backup of the server and I copied all of the last remaining records down so if all failed I could reinstate it.
Once I deleted that zone, I made sure to clear all of the cached information, and restart all of the services as well.
And sure enough the external website showed up, and I was able to remove the external DNS server out of DHCP's DNS scope.  All is working now.

My only problem is, I wish management would of discussed the change with the rest of the entire IT department, before the changes were done and all could of been properly planned out.
I guess that is what I get, when the people in charge just take off running and expect instant gratification, before finding out if there will be any repercussions due to their actions...

Now off to the new fire.....
ttornoAuthor Commented:
Thank you all for your time and support.
ttornoAuthor Commented:
Both users were able to allow me to look in a bit closer at the issue, which was then solved.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now