Solved

Public Website Name Resolution Problem in a Split DNS Zone

Posted on 2014-07-22
18
834 Views
Last Modified: 2014-07-23
I have a site with a domain.local AD site name and an internal DNS zone set up for their public domain.com in order to support their onsite Exchange Server.

I've added a www pointer to the internal DNS (domain.com zone) for the IP address that is returned when their public website is pinged from outside their domain.  While that approach seems to work 99% of the time, in this case they must be on a shared hosting plan as the IP address pointer only gets the internal users to the website hosting site and not to their particular website.

Short of changing their hosting plan, is there a workaround to implement?

Thanks,

J
0
Comment
Question by:Qualitycomputer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
18 Comments
 
LVL 40

Expert Comment

by:footech
ID: 40213130
If internet users access the site by using "www.domain.com", and a DNS query to public DNS servers shows that www.domain.com resolves to xxx.xxx.xxx.xxx, then creating the same record in your internal DNS should function exactly the same way.  The only time I've heard of a case where this wasn't happening was because the hosting provider was blocking the company's IP address.
0
 

Author Comment

by:Qualitycomputer
ID: 40213174
When I ping www.customer.com from the network-tools.com ping utility I get one IP address, but when I ping it from a command prompt from my workstations the value that is returned is the IP address(es) of the web host.
0
 
LVL 40

Expert Comment

by:footech
ID: 40213209
Run the following commands at your workstation and post back the results (substituting for the correct domain).  Feel free to obfuscate the results, but leave enough info so that it's not meaningless.
nslookup www.domain.com. 8.8.8.8
nslookup www.domain.com.

Open in new window

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:Qualitycomputer
ID: 40213928
nslookup www.customer.org 8.8.8.8:

Non-authoritative answer:
www.customer.org      canonical name = customer.org.
Name:      customer.org
Address: 66.155.12.238
Name:      customer.org
Address: 66.155.19.238
Name:      customer.org
Address: 192.0.82.250
Name:      customer.org
Address: 76.73.254.123
Name:      customer.org
Address: 76.73.254.120
Name:      customer.org
Address: 192.0.82.250

nslookup without 8.8.8.8 yields the same results.

Does this offer any clues?
0
 
LVL 10

Expert Comment

by:EdTechy
ID: 40214513
Unless I am not understanding your issue correctly, your internal dns should point to the internal (private) address of the Exchange server.
Also try nslookup www.customer.org using the internal dns ip address.
Another thing to check.. make sure the client is actually pointing to the internal dns server.
0
 

Author Comment

by:Qualitycomputer
ID: 40214642
There is already an entry in the internal customer.org DNS zone with the internal IP address of the Exchange Server.  That part works well and is not related to the web site problem.  The www pointer seems to be the problem.  I've edited that internal www pointer to several of the public IPs returned by the NSLookup but they all just point to the general site of the Web host (WordPress) and not to the specific page for my client's web site.  

I've seen such behavior in the past when a customer is on a shared hosting plan and doesn't have a dedicated IP address which points to their home page.  That's why I'm looking for either a workaround or a reason why it works over public DNS but not with the static, private DNS entry.
0
 
LVL 10

Expert Comment

by:EdTechy
ID: 40214707
You may want to call the ISP and see exactly where to point your cname entry for www in your internal dns.
I have a hosted plan and I have a CNAME pointing to the host by name myhost.net. They then route all request to our site on their end.
0
 
LVL 40

Expert Comment

by:footech
ID: 40214766
Looks like the public records have www.customer.org as a CNAME record which points to customer.org, and then there are several A records for customer.org for the different IPs.  I would duplicate that setup in your internal DNS.  Your hosting provider probably uses host headers to detect which site should be presented, so as long as the right name is being queried the right site should be returned.  My guess here is that your site is tied to the host header "customer.org" instead of "www.customer.org", so if you just have an A record for www.customer.org which points at the IP, the right name isn't being presented.  If you were to just try browsing to "customer.org" (assuming you have an A record for it) it should work.
0
 

Author Comment

by:Qualitycomputer
ID: 40214795
Footech,

So to follow your advice should I add a CNAME entry to the internal DNS zone?  If so, which of those various IP addresses returned from the NSLookup would I use?  Can I add more than one "A" record with a www pointer or more than one IP address per "A" record?

If it's not too much trouble, please show me an example of the syntax for a CNAME entry.  This is going to be added to a Windows 2008 AD server.
0
 
LVL 10

Assisted Solution

by:EdTechy
EdTechy earned 250 total points
ID: 40214896
Yes I would add a CNAME to your internal dns. You will use customer.org not an ip address.
Within your customer.org zone make a New Alias(CNAME)
Alias name www
Fully qualified domain name...
customer.org
0
 
LVL 40

Accepted Solution

by:
footech earned 250 total points
ID: 40214912
Yes, in the customer.org zone, add a CNAME record with the alias "www" and the FQDN of the target will be "customer.org".  You shouldn't have any A records for "www.customer.org", only for "customer.org".  You can have multiple A records for the same name, and each will point to a different IP.
0
 

Author Comment

by:Qualitycomputer
ID: 40215060
Thank you both EdTechy and Footech.  I added a CNAME record of "www" to the internal dns zone. That was easy.
Adding the individual IP addresses from the NSLookup query isn't going well though.  When I try to create an "A" record without a title I receive an error message from the DNS editor stating that "The host record 'domain.org' cannot be created.  Node is a CNAME DNS record".  

That doesn't happen if I add a www or some other prefix to the "A" record and specify and IP address.  I guess I don't know how to add the "A" record so that it is for "customer.org" and not for "www.customer.org" as Footech advised.
0
 

Author Comment

by:Qualitycomputer
ID: 40215083
I added all of the IP addresses from the NSLookup as "www" "A" records and, along with the CNAME entry, that worked.  Should I be concerned that I added 5 "www" records to the zone, or should I just call it good?

Many thanks,

J
0
 
LVL 10

Expert Comment

by:EdTechy
ID: 40215128
I don't think you need any of the A records as long as you have the cname. If internally you can get to www.customer.org without the A records, I would remove them just to keep your dns clean.
0
 
LVL 40

Expert Comment

by:footech
ID: 40215141
The only time you get that error message is when you try to create an A record with the same name as a CNAME record.  Here's an example of what you should have.
DNS recordsI don't see how it's possible for you to have added the A records for "www" if you have the CNAME for "www" as well.
0
 
LVL 40

Expert Comment

by:footech
ID: 40215150
@EdTechy - without the A records the DNS wouldn't resolve to an IP.  Since the zone is present on the local DNS, the query wouldn't be sent on to forwarders or root hints to be resolved.
0
 

Author Comment

by:Qualitycomputer
ID: 40215201
I deleted all of the new DNS additions and started over to see if the "A" records were needed.  Footech is correct -- you need the "A" records in addition to the CNAME record.  Thanks again!
0
 
LVL 10

Expert Comment

by:EdTechy
ID: 40215271
@Footech - Makes sense.
Glad it is working.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question