DNS - Cannot access our website from within our network

MOBlew used Ask the Experts™
We have a Windows 2012R2 Domain.  Our windows domain is xyz.com.  our website should be www.xyz.com.  We can access the website from outside of our network but not from within.  I've resolved this issue years ago but don't remember how I did it.  I know it's a DNS entry on the DNS server but can't recall what it is.  Feelin old!

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You must have your website hosted on another server and the public DNS is pointing to that server. Internally you have setup the domain with the same name and your internal DNS is not pointing to the same A record as the public DNS.

Go into DNS on the domain controller (or whichever server has the DNS on it) and add an A record for your domain name and point it to the same IP as the public DNS is pointing to.


Thanks for your input Mr. Knackered!

Tried that.  It did not work.  Did receive the message "Warning:  Could not create associated PTR record.  Probably because we could not find the associated zone".

It did create the record under:

Server Name
            our domain                                                         (same as parent record)         Host(A)            Website IP address

I think the issue might revolve around the fact that our internal domain includes .com instead of .local.
Did you add the A record with www as the name?

Name = www
Type = Host A Record
Data = IP its going to

You can try doing a NSLOOKUP inside your network to check that the www A record is returning correctly. You could also do a TRACERT to see where the www.yourdomain.com traffic is going to get resolved.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Brian MurphySenior Information Technology Consultant

That is a common issue with DNS and AD Domains which have no relation.  It can actually make things worse when you have DDNS for DNS that is Integrated and you need a static record.  Seems like something had to change?  There are 50 roads here, do you use split-dns or host everything external?  

When I say split-DNS it means, to me, you have DNS servers internal and external and the same hostname record is different internal and has a routable IP external.  So, you can actually host everything external like with the external DNS providers.  A lot of people do this because of IPAM.  IP Management.  Or, you have internal DNS servers having identical A-record entries and if you are internal and pointing to internal DNS www might be internal only IP.  Or it could be the same as external and someone made a firewall change.  

Thing is, this can go 100 different ways.  If you are using Active Directory integrated DNS at forest and child level it doesn't know www exists unless you actually build a domain controller and call it www and add it to the forest which to be clear, please don't do this.

I could give you much better guidance if I knew what that website is and I have to assume for both our sake that their is a DMZ Zone or there isn't and you have routable IP's on everything facing the internet.

I'm going to go with DMZ zone or minimum a NAT that terminates to a firewall and maps to an internal IP.

The problem with that option depends on what external users hit first versus internal users.

With Citrix Netscaler you can have a DMZ hosted Netscaler appliance that has a public IP address and users internal and external both get that same address.  In this scenario I'm referring to the VPN vServer not a LB VIP.

F5 Load Balancer, last time I implemented it, has to own the segment.  So if you have a range of external facing IP's you would have a F5 in the DMZ that owns that range then another F5 internal only that owns the private IP range of whatever, like Or 192.168.x.x so on and so forth.

If it were me, I would add the known external IP to drivers/etc/hosts file.  IPAddress and hostname

Open command prompt, type IPCONFIG /FLUSHDNS

Ping the website, and if ICMP is turned off it won't work but if you get no path back then seems like split-dns.   In other words, from internal can you hit the IP address and modify hosts file, clear dns cache on that client, and hit the URL from internal.

xyz.com in Active Directory land can be entirely different compared to INFOBLOX DNS appliance that is the SOA for xyz.com.  You can create as many sub-domains as you wish in the namespace of .xyz.com

OR, you could create an A-Record of www
www = x.x.x.x

The question is what is X?  Does it correspond to a IIS 7.5 server or a pool of servers behind a load balancer.

That is when we start getting down to NSLOOKUP and where your clients are pointing for DNS.

If those servers, DNS or AD Integrated DNS do not forward traffic out to external DNS servers you won't resolve anything external.  

If all your Internet traffic must go through a Websense Proxy behind a F5 load balancer it might be the proxy.xml file and all you get back is 404 errors.

It really becomes easy if you download Wireshark for free and install on a client device.  Then you can capture everything, save it to pcapng format.  Figure out very fast if it is DNS or being blocked.

Just NSLOOKUP alone should tell you

But, again - here is the problem.  This is why it is NOT recommended to use the same FQDN for DNS and your AD Domain.  It can be done, just realize that every client should have a DNS Suffix list or it might just have the primary suffix set to xyz.com.

When you use nslookup and type www your client might be pointing to AD Controllers for DNS and that record either exists or doesn't.

And what is that www record meant to resolve internal versus external?  Is it the same IP regardless?

If it is the same, you can hit it by internet and not internal the record does not exist in the DNS servers that DHCP or Static defined.  If you perform nslookup on www on a client that is member of a domain it will default to I'm in xyz.com, perform lookup for www is the same as www.xyz.com.  Or you would think that right?

Not always the case, I've seen where using Group Policy the machines were given a list of suffix entries and if you do not specify the FQDN it will perform a lookup against every domain listed on Advanced Tab, DNS, suffix domains.  

If you cannot PING www.xyz.com you have a DNS issue or misconfiguration.

Now if you force you system and tell it by modify hosts file to the IP you believe it should be and flush dns and ping gain www.xyz.com if you don't get a route error the very next step is

pathping.exe www.xyz.com

Like pathping google.com I get

Tracing route to google.com []
over a maximum of 30 hops:
  0  MYComputer...Secret
  1  REVERSELookup for my IP
  2  cpe-98-25-32-1.sc.res.rr.com []
  3  cpe-98-25-32-1.sc.res.rr.com []
  4  cpe-024-031-198-145.sc.res.rr.com []
  5  cpe-024-031-205-184.sc.res.rr.com []
  6  be33.chrcnctr01r.southeast.rr.com []
  7  bu-ether44.atlngamq46w-bcr00.tbone.rr.com []
  8  0.ae2.pr0.atl20.tbone.rr.com []
  9 []
 10 []
 11 []
 12 []
 13 []
 14 []
 15 []
 16 []
 17 []
 18 []
 19 []
 20  muc03s13-in-f14.1e100.net []

Now this can still fail if ICMP is turned off but it should not fail until you get at least a few hops and hit a firewall.

The other issue is if using AD DNS, most everything now does a reverse lookup so you need to see both which can be done with NSLOOKUP.
Brian MurphySenior Information Technology Consultant

If you cannot get an answer back on "nslookup www.xyz.com"

You might want to do IPCONFIG /ALL and if you see a 169.x.x.x that is worse case.

At minimum you should get a NON-Authoritative Response back.

That narrows the gap significantly.

If authoritative fails that means your internal DNS server forwarded to the Internet and got back a NON-Authoritative response with the IP.

If that is the IP you expect, you have DNS resolution but something is blocking access to that IP.

If you get nothing back, it might be as simple as having the wrong DNS server listed 1st.

It is one or the other.  You get a 1st response or 2nd.

If your DNS is split that first or second DNS server should be the Authoritative responder.  Meaning it owns that zone as it pertains to internal network.  

If it doesn't know, and wants to continue being DNS it better forward that request somewhere and get you a response.  If you have a domain registered on the internet and say that IP address is internet only you cannot have it both ways.

Clients either point to the registrar or external DNS provider and get first response - nslookup works, cannot hit the web page.  That is a firewall or web proxy type of issue.

If you get a 1st response from any internal DNS server it should most likely be an internal IP.

If it is only external, AD DNS has conditional forwarders for that sort of thing.  Not a good idea to create 1 static record and play SOA for an external hosted IP.

So if you get internal IP, if it doesn't ping, trace, and so forth - that doesn't confirm anything if ICMP is turned off.

You would have to enable Telnet on Windows 7 or go to your 2012 server or any server in this dimension and telnet to that IP on port 80 and 443.

If you cannot perform a simple Telnet to specific port can be anything.
1. That IP is bound to internal load balancer and someone deleted the service
2. You have one nic or multiple networks and you had static routes

If you cannot get there from the same device or IP as previous that tells me you had persistent routes defined.

You need to ADD ROUTE from command line again because those were wiped.


Ok...  Some new information.

When I add an A record for WWW...  the FQND shows up as   "www.xyz.com.xyz.com.XYZ.COM

Where is this coming from?
Brian MurphySenior Information Technology Consultant

Yea. I cannot tell from your question but if you were stating you moved to 2012 server and it has same IP address.

Most likely static route entry was wiped.

Just need to find out the Gateway and network and subnet mask

Just checking but the www name record should just be www and nothing else. Please ensure you didn't add the full domain name in.
Brian MurphySenior Information Technology Consultant

That is called following the rabbit.

But not which one.

Not sure what you mean by A record and adding it for www.  Where did it go?

What you stated above happens when you create new subdomains under xyz.com

So you have a trailing set of zones in DNS and need to delete all of them and put A record in XYZ.COM

Anything to the left and (DOT) something is not a record, it is a zone in a zone in a zone in a zone.
Brian MurphySenior Information Technology Consultant

I'm trying to understand why you would add A record.  If it worked before, did you upgrade to 2012 and wipe DNS?  What are you using for DNS?  

Because unless it is open source and really bad you cannot create (DOT) names to the left without a new zone.

That would be like adding www as a entire new zone under xyz.com.  Which I stated above please never do that.

Then, any host record is hostname.www.xyz.com

I mean, am I making it worse on you?  My goal is to help you but I try to make it a learning exercise.

I don't really enjoy just giving away the answer.  I need some participation, troubleshooting or solving problems is what landed me in technology in the first place.


Ok...  Closer...

I added it to the DNS root instead of the sub.

I flushed DNS

Now NSLookup and ping returns the correct address, but the webpage still will not open.  Checked DNS forwarders and they look ok.
Brian MurphySenior Information Technology Consultant

For me, I start with this

But I retrofit it for technology.

It actually means something slightly different but in technology will help you see things that don't because we naturally look for the most complex.  Choose the one with the least number of assumptions and it is usually that most simplest of those that is causing it.

Something changed.  Had to.  What? Why?

Did it ever work?  You gave that impression that it worked before and you don't remember how to fix it.

Did the ISP change the IP Address or something and external DNS adjusted but not internal?

Do you remember adding A record last time?  Because it sounds more like a routing issue now.

Or did.  Point being, fundamentals.  What are you looking at to see all those subdomains?

It doesn't matter.

Can you ping it?  Does it resolve to the IP?  

At this point, unless you deny SSL name match you can go as far as you want down the hole and it will work.

The simplest step is web browser and HTTP://IPADDRESS

if that doesn't work, you have a route or firewall problem.  I just took DNS out of the equation.  

You can call it what you want later but if you cannot hit that by IP with a browser or Telnet you lost your network or someone changed a firewall rule or you are missing a static route because you have three NICs on different networks for some reason and only one gateway.

Or, you have one NIC only and the gateway you point at was using static routes and it is stopping at the Gateway.

The DNS thing is done if you cannot use IP.  You need to be willing to rule things out before making mass changes to production.  I mean, those are my rules.  

Test the IP address, let me know.  If not, I tried.
Brian MurphySenior Information Technology Consultant

Okay. DNS works.

Can you hit the website with that IP?

Yes or No


I cannot hit that website with this IP.  It's a hosted web site.  But I can hit the website from outside of the network with this url and from that PC, if I ping the url I get this IP.  Also, if I go to the host's DNS manager the www is pointed to this IP.
Brian MurphySenior Information Technology Consultant

At this point I think your close.  Assuming that is the IP for internal.

We need to rule out protocol and transport issues.

That requires a browser and or telnet.  Not ping or pathping or tracert.  

Unless, you ping the IP itself and it says no path to that location.
Static Route, Route gone on Router.

Before we go pointing fingers, you better off just ruling it out so when you blame the network without evidence you had it coming.
Brian MurphySenior Information Technology Consultant

Okay.  Any new evidence is good evidence.

Narrow down the symptoms.  You cannot hit that URL with a browser.

Now what?

Can you hit www.google.com with the browser?

Can you get to the internet?


From within the browser can open any other site.  Ping and NSLookup return the correct IP address.  But the browser cannot open the specific site.

Outside the network everything else works fine except this site.
Brian MurphySenior Information Technology Consultant

Back up.  What does this mean:
I cannot hit that website with this IP.

Is that a question or a statement of fact.  Are you stating you cannot hit that website with that IP because it is supposed to be another IP or that is the right IP and it has worked prior until now?
Brian MurphySenior Information Technology Consultant

Not sure what this means
Outside the network everything else works fine except this site.

If you have a machine on the internet I would expect that.

We can rule that out, toss it.  You have a website that is external and it resolves correctly and we take DNS out of the equation and you cannot hit that site by IP Address?

Doesn't make a of sense right now.

Need a favor.

Go here

Type in your domain starting with xyz.com

No www.  Just xyz.com

Does this site know that domain exists?

And if it does, you need to document the DNS servers that it shows as primary.

This could easily be a external DNS problem but were your company is hosting the DNS and playing SOA and they are not SOA

That is easy to find out.  When you get the DNS IP, use nslookup again but set your server to the IP that is listed on whois.

Type Nslookup (enter)
>server x.x.x.x

Is it the same IP


Cannot hit the website using that IP...  The website is hosted at a hosting company.  This IP is used for many sites.  We have the use the URL to get to the site.

From any computer outside of my network, the site opens up fine.

From any computer within my network, I get the page cannot be displayed error.

The website is ok.  It's something to do with my internal DNS.
Brian MurphySenior Information Technology Consultant

Oh.  When you use the browser to IP.  Do you get any error?  Or does it just spin?

So, don't remember if you did this but what your describing can happen when you have a internal domain and zone of say: corp.mycompany.com and you also have a forward lookup zone of mycompany.com

AND, mycompany.com is not in your suffix search order list.

It is not magic.  If you can get to any website from that machine, you have something internal that is specific only to you, right now, in this dimension on that PC or your network.

Firewalls don't usually block sites at random.  Somewhere your recursive lookup is getting different information.  It use to happen all the time.

If you validate your domain at whois, you need to modify hosts file and if that is the right IP use that IP and www.mycompany.com

Why I ask this is some ISPs or vendors that host websites pile them on top of a single IP address like a content switch.  Content switch on Netscaler is awesome, btw.

I can host 5000 urls with one IP and a wildcard cert.  

But it doesn't work unless you use the entire FQDN name and the content switch is looking for a host header name of www.mycompany.com.

Something is a miss here.  A content switch explains the IP.  That means that your DNS for some reason is taking www.mycompany.com and making it something else.  Like a subdomain still exists internal or there was a specific conditional forwarder configured in DNS.

Or, your forward lookup zone is not forwarding it is a primary lookup zone for an address that is owned by an external provider.  That doesn't work.  But it never would have worked.


Browser to IP - Page not found.

I'm sure it's something to do with internal DNS.

My internal domain is XYZ.com

Have added A record WWW to the IP address

Inside the network www.xyz.com get's me page not found.
    -  Ping and NSLookup returns the right IP address

Outside the network www works
    - Ping and NSLookup returns the same results as inside the domain.

It's got to be some DNS entry...
Brian MurphySenior Information Technology Consultant

Don' take this personal, at least you have narrowed it down significantly, is there anyone at work that might be "pay back" time?  

It is definitely on your side at this point, and I don't recall if it was everyone or just you.

THings that cause this are:
1. Someone modified your hosts file and did a blacklist of www.mycompany.com to
2. You have a Proxy Server, the browser goes to the proxy server and for some reason that proxy server thinks that FQDN is internal.  That is real easy to do with proxy.xml file.  And it can be set at the mycompany.com level so if you have one website and chose to use internal AD domain as DNS zone the proxy server would see anything from that domain as not going external.
3. Your internal AD Domain as in forest and child has the same structure of mycompany.com so child domain is mycompany and forest root is .com.  That means it will never forward that request to the internet.  You add an A-Record to a AD integrated zone with an external IP address that is owned by external DNS servers means you get the IP from a SOA internal but anything in the middle will get it from external and it may still work but hurts to think about it.
4.  You have a forward lookup zone that is dedicated for that domain name that is hosted with someone external.  So you are mix and matching records with internal IP and external IP but it is not associated with the AD Domain.  Even this can work for the most part.

Have you used Wireshark?  Because that will most certainly give us the answer.

There are not a lot of options at this point.


It's probably #3 above.  Was setup by someone else.

FYI  here's a traceroute.  (Edited)
C:\Users\Administrator>tracert www.one3ip.com

Tracing route to www.xyz.com [xxx.xxx.xxx.xxx]
over a maximum of 30 hops:

  1     3 ms     1 ms     1 ms  xx.xx.xx.xx
  2     2 ms    <1 ms    <1 ms  207-67-34-113.static.twtelecom.net [
  3     1 ms     1 ms     1 ms  lax2-pr2-xe-0-3-0-0.us.twtelecom.net [66.192.253
  4     *        1 ms     1 ms
  5     1 ms     1 ms     *     ae-3-80.edge1.losangeles9.level3.net [
  6     2 ms     2 ms     2 ms  telia-level3-4x10g.losangeles.level3.net [4.68.7
  7    15 ms    15 ms    15 ms  sjo-b21-link.telia.net []
  8    15 ms    15 ms    15 ms  las-b3-link.telia.net []
  9    27 ms    27 ms    27 ms  sjo-b21-link.telia.net []
 10    27 ms    27 ms    27 ms  defensenet-ic-302038-sjo-b21.c.telia.net [62.115
 11    27 ms    27 ms    27 ms
 12     *        *        *     Request timed out.
 13    78 ms    78 ms    78 ms
 14    77 ms    77 ms    77 ms  vux.netsolhost.com []
 15    78 ms    78 ms    77 ms  vux.netsolhost.com []

Trace complete.
Brian MurphySenior Information Technology Consultant

It could be DNS but how?

If you have a valid domain, you add that IP and FQDN to hosts file you just ruled out DNS.

Windows machines look to hosts first.  DNS is dumb.  It takes the first IP you give it.

From that point forward, it never contacts another DNS server.  That is in your cache until the OS TTL timeout or you do a ipconfig /flushdns

You can disagree but you would know better because your more familiar with surroundings.

The point is to reduce suspects.  Did you not hardcode hosts?

Because that removes DNS from the picture.  That is old school, DNS started as a file on a network share.  DNS servers did not exist.  But Windows will take that hosts entry over everything else, including 2008R2 and 2012 servers.  This causes more problems and still happens today.  I find static entries in hosts files, remove them, ipconfig /flushdns and it works.

You have the opposite problem.  Adding it to hosts rules out DNS and also your ISP.

Just don't forget to modify hosts, save hosts, ipconfig /flushdns

At this point I can't go down the DNS hole.  If you add it to hosts and it doesn't work.  I cannot think of a DNS reason for that issue.  

But I cannot go another direction until you rule it out.

And Wireshark would tell you everything it sees from client to switch.  If you get page cannot be displayed that is a reset.  Something is resetting your packets.

Your browser is being sent somewhere else.  If your not sure about the other questions, I cannot do much more for you without wireshark.
Brian MurphySenior Information Technology Consultant

Yea, maybe.  If you add static entry to hosts.  Clear cache, Ping it to get it in cache then tracert is actually a different layer than HTTP HTTPS.

You are getting the HTTP GET request blocked.

You can trace all day.  If you hard code hosts, that rules DNS out - done.  

Your now up in the higher layers of OSI stack.  Something on your network or in your network hates that web server.  Because you cannot HTTP to IP or FQDN but you can get ICMP response.

Not DNS.

For some reason, that FQDN whether it resolves or not you open a browser and get page cannot be displayed makes perfect sense if you get the same external.  Service down.  Easy.

This is something else.  This is more like a PIX Firewall that uses a PAT address so if you go to

www.whatsmyip.com you should see any address but your internal client.

Hopefully, you see one IP, every time, no matter what client.

You can trace to the final destination from internal - no routing issue.

So, if you had a PAT to internal NATs you would have that problem if it did not know the difference between internal and external.

That is what your external IP does.  Sounds more like a packet reset which can happen outgoing or incomming.  Fastest way to know is Wireshark.

You will see HTTP Get request, real time.  Some things are just set in stone.

Hardcode hosts file, install Wireshark.  It had to be routing internal or external and you ruled that out with tracert.

That machine knows how to get to that external IP.  Stone.

The browser higher in the stack than ICMP doesn't?  Why?
Brian MurphySenior Information Technology Consultant

10 minutes at most.  

Download, install, reboot.

I can walk you through the rest.  Install Wireshark and WINCAP.  

This is the fun part.  Unless you know something I don't.  This takes 10 minutes and you click start capture, open browser, have hosts done, go to FQDN.  You will see some stuff go Red.

Your looking for HTTP Get and any SYN ACK with resets.

If you see a HTTP GET and failed.  You right click, Follow TCP Stream.  

The only other thing that makes sense is your ISP blacklisted your external IP.

Now that almost never happens with HTTP but happens all the time with SMTP Mail.

You don't have a choice, in my opinion.  But I use Wireshark every day.  Read all their books and member of Wireshark University.  So Wireshark is my best friend.  He never lies.
Brian MurphySenior Information Technology Consultant

A few things come to mind on the DNS path if you want to go that direction.

Adding the hostname to hosts would not help if you hit a proxy server and the proxy server "proxies" all connections internal to external.  So think of it as your browser used the computer brain and now that is removed and it is forced to use the brain of proxy server.

Bluecoat and Websense are the two I have worked with most and have always used F5 with both of those and there are different configurations / profiles that allow for integration.

But, I keep bringing it up and not hearing anything back so I ruled those out.

Add it to hosts eliminates DNS if nothing else is in the middle of your client machine and what ever allows it to use Internet.  Something does it unless your company bought an entire range of routable IP for some reason.  Some people use a firewall, most companies now use proxy servers behind a load balancer in the DMZ.  That one IP external is taking on the source for your internal machine.

So the website is talking to the NAT or PAT or maybe you have a cable modem from Time Warner for all I know but that plugs into a switch and you hand out DHCP addresses.  The switch has a single port to save you from the internet.  It acts on behalf of everyone to forward and resolve DNS.

You machine would point to that as your Gateway or in real networks it is simply a routing thing where anything having external IP goes here....

Hence, www.whatsmyip.com

Thing is, those designs don't host forward lookup zones.  They simply resolve and some do a reverse lookup.  If you hardcode DNS and it matches real world your not going to know much more without Wireshark.  

It exists to eliminate the guessing.  Everyone one should have it.

The only issue is that you only see what you see...see.

Sometimes that is not enough.  That is why God made port mirroring and port aggregators.  

To see everything you need Wireshark at the ISP, and mirrored port for anything that proxies that traffic.

Even then, you still win by what you don't see.  If your not getting ACK or FIN responses back when using the browser that is basic block everything going to this IP.  The only thing that cares about hostname is Content Switch or SSL Certificates.  That is not the case if you can trace route.

Wireshark would show you if it is DNS or packet reset by what you don't see in missing responses or packets.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial