We help IT Professionals succeed at work.

DNS Issue when Accessing external Website using Split DNS

BSModlin
BSModlin asked
on
I currently have an Active Directory environment running split DNS.  I have ABC.local for my internal domain name, and our public domain name is ABC.COM.

I have configured a DNS Zone for ABC.COM to access certain things while inside the domain.....  Our company website is now being hosted externally.  It is accessible outside the network, but not from the inside.  I have added an A record "www" that points to the public IP of the webserver.  It still does not resolve.  The weird thing is if I put the IP in my browser inside the network it DOES take me to the page.....

What am I missing?
Comment
Watch Question

Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooter

Commented:
> I have added an A record "www" that points to the public IP of the webserver.
And you did this on the DNS server which is authoritative for the ABC.COM domain?  (I'm assuming you really did this on the internal DNS server, which it sounds like you DON'T want this entry, and you need to have it on the external DNS server which is serving this domain for the public.)

Author

Commented:
It is both on the internal and external DNS servers.....
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooter

Commented:
Lets narrow down what isn't working then.  If I were at the keyboard, I'd try the following:
nslookup  (this would enter me into nslookup dialog with my local dns server)
www (this would query the local dns server for www.<default_suffix>, what does it return?)
www.ABC.COM (What does this return?)

server [authoritative_DNS_server_for_ABC.COM] (this will switch to the other DNS server.)
www.ABC.COM (And what does this return now?)
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
If you remove the internal record (www) from your internal zone for ABC.COM and run ipconfig /flushdns and then put the IP back in the browser does it go to the page?

Have you checked your firewall to see where the traffic is going? What page is it displaying for you when you have the A record on the DNS server internally?

Will.
Why did you create the extra DNS zone for abc.com?  If your internal domain is abc.local and your external one is abc.com, you should not need any internal zone for abc.com.  When your internal clients browse www.abc.com your DNS server will resolve that address using an external DNS server, either a forwarder or the root hints depending on how your DNS server is configured, because it will see that abc.com is not an internal domain. So, if you remove the internal abc.com DNS zone, you should be able to browse www.abc.com without any problem.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Just to add to what hypercat has said, you would only add the www A record if your website is hosted internally. Because you have it hosted externally and add the external IP was configured internally the clients will not go out to the internet because they see this record in the internal ABC.COM DNS zone.

Will.

Author

Commented:
Understood, but tfor things like mobile phones that need to access their emails both internally and externally, the creation of ABC.COM was necessary.... Cisco ASA firewalls do not allow devices to leave the firewall destined for a Public IP that resides on that same firewall.... Cannot go out to come right back in....
How are the mobile phones connecting to the internal network?
it_saigeDeveloper
Distinguished Expert 2019

Commented:
BSModin, if the phones are connecting via wifi, then they should be using the local DNS address for the mail server (assuming Exchange).  You just need to ensure that the InternalURL for the Exchange server ActiveSync/OutlookAnywhere (depends on version) is configured properly and accessible via the local network.

Otherwise, the phones would use their respective carriers network and this would all be moot as the carrier network is external to your network.  In this case, the phones would use your external DNS records to access the ExternalURL for your Exchange server.

Hypercat is right on with regards to the necessity of split dns in your situation.

-saige-

Author

Commented:
If I do that we will have issues with the SSL certificate because you can not longer have .local as a valid entry in the cert.  I have identified my issue.  The website is redirecting the www.abc.com request to abc.com, without the www.  How do you make a "wildcard" entry in DNS so when they go to abc.com without the www it will go to the static IP of my choice?
Developer
Distinguished Expert 2019
Commented:
You could do something like what is outlined here:

http://www.netlife.co.za/tech-guides/46-linuxoss-and-networking/95-adding-single-dns-hosts-for-external-zones-to-a-windows-dns-server.html

Just checking, in your current configuration, you have a cname record for the exchange server that points to the internal ip; e.g. - mail.abc.com -> 192.168.1.15?

-saige-