Re: dns + firewall?
From: Herb Martin (news_at_LearnQuick.com)
Date: 08/09/04
- Next message: tony wong: "Re: Any suggestion on DNS setup"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: dns + firewall?"
- In reply to: Eric: "Re: dns + firewall?"
- Next in thread: Eric: "Re: dns + firewall?"
- Reply: Eric: "Re: dns + firewall?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 9 Aug 2004 08:32:22 -0500
"Eric" <eric@hotmail.com> wrote in message
news:O7e$mKhfEHA.1644@tk2msftngp13.phx.gbl...
> Ok! I reallys suck at this so slow and easy please. :-/
No problem - in fact if you work with me (especially) you
will find I continuously encourage "BE SPECIFIC", SIMPLIFY,
DIVIDE and CONQUER to solve 'hard problems.'
> We have a firewall (linux) that does a portforward on port 80 to the dmz
> win 2k-machine where the webb and the dns is located.
The DNS for the public resolution from the Internet?
(If so, this would better be placed at the "Registrar" but for now
let's continue.)
If you are mixing Public and Privat DNS on one server (and
are not a true expert) then you are just asking for trouble - that
is ALMOST UNWORKABLE.
> The rest of the
> computers is "inside" the firewall, including the "main Win 2k computer"
to
> which all the work stations log on.
>
> Everything works fine, external computers can access the dmz win
2k-machine
> webb fine, we can access the net from the inside , *but* we can only use
the
> address lan.company.com (or some alias) to access the dmz win 2k-machine
> webb from the inside and *not* www.company.com. And that creates problems
> when we want to update our site and use absolute adresses.
What about the rest of the Internet? Can the internal users resolve those
names? If so you are likely using actual recursion or forwarding correctly
and the problem likely resides somewhere else.
You haven't explained clearly which is your INTERNAL zone/domain
name (lan.company.com?) and which is your EXTERNAL zone/domain
for the web server (company.com)?
Do you have a ZONE named "lan.company.com" or is that an alias
for www.company.com (the web server itself)?
If the latter, you likely don't have the PUBLIC resources listed (manually)
on the INTERNAL version of the zone/domain DNS servers.
Having separate DNS server (set) for internal/external DNS that use the
same zone/domain name is called "Shadow DNS" (aka: split DNS)
and requires that you add ALL of the external resources you wish internal
users to resolve to both the external AND the internal versions of the zone.
If you aren't using the same name, then you need to teach the internal
DNS servers how to resolve "the Internet" (external names) -- the
preferred way is to forward to an ISP (or intermediate firewall/DMZ
DNS) that resolves the public names.
Give the name of each zone
Explain where each zone is held (which servers/where located)
Explain how you resolve the Internet (if you can)
Explain any forwarding you use
Explain which DNS server(s) appear on all internal client (all machines
really)
Internal clients should use ONLY internal DNS servers (if you have
them, and you almost certainly SHOULD have them.)
-- Herb Martin > > Don't know if I made it clearer...:-/ > > /e > > > "Herb Martin" <news@LearnQuick.com> skrev i meddelandet > news:%23$IyW0ffEHA.2764@TK2MSFTNGP11.phx.gbl... > > "Eric" <eric@hotmail.com> wrote in message > > news:ur8C#affEHA.4092@TK2MSFTNGP10.phx.gbl... > > > This is probably stupid, but we have a network with a firewall where the > > > webbserver is an IIS/Win 2k which is on the dmz. Everything works fine > > > *except* for the internal computers where we have a problem with the > > domain. > > > Normaly it's www.company.com, we have an alias that's lan.company.com > > > created with an alias that works but we would like to use the regular > > > www.spider.se. The reason is that every webpage we create from the > > "inside" > > > can't use the same absolut links as from the "outside" which is > > disturbing. > > > > It's not a stupid question, but it isn't exactly clear where the > > problem is, or what you wish to accomplish that you cannot. > > > > What is your internal domain name? > > > > Do you have separate internal and external DNS servers? > > > > > I *think* you can do som sort of forwarding thing in the Win 2k dns to > fix > > > this but I don't know how. > > > > The standard method is for all of the INTERNAL machines > > to be DNS clients of the internal DNS. > > > > The internal DNS then forwards to the ISP or the DMS/firewall > > DNS server which handles all public zone resolution. > > > > > > Internal DNS: > > DNS > > 1) Dynamic for the zone supporting AD > > 2) All internal DNS client NIC\IP properties must specify SOLELY > > that internal, dynamic DNS server (set.) > > 3) DCs and even DNS servers are DNS clients too -- see #2 > > > > Restart NetLogon on any DC if you change any of the above that > > affects a DC. > > > > -- > > Herb Martin > > > > > > > > > > Any ideas? > > > > > > /e > > > > > > > > > > > >
- Next message: tony wong: "Re: Any suggestion on DNS setup"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: dns + firewall?"
- In reply to: Eric: "Re: dns + firewall?"
- Next in thread: Eric: "Re: dns + firewall?"
- Reply: Eric: "Re: dns + firewall?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
