Re: dns + firewall?
From: Eric (eric_at_hotmail.com)
Date: 08/09/04
- Next message: MyndPhlyp: "Re: Event 5782 from NETLOGON on server boot"
- Previous message: Eric: "Re: dns + firewall?"
- In reply to: Herb Martin: "Re: dns + firewall?"
- Next in thread: Jonathan de Boyne Pollard: "Re: dns + firewall?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 9 Aug 2004 16:56:28 +0200
Hi Herb!
I put together a *fat* answer to you, but then all of a sudden Kevins
solution made it. Thanks for your help, really appreciate it!
:)
/e
"Herb Martin" <news@LearnQuick.com> skrev i meddelandet
news:%23XEWyVhfEHA.2812@tk2msftngp13.phx.gbl...
> "Eric" <eric@hotmail.com> wrote in message
> news:O7e$mKhfEHA.1644@tk2msftngp13.phx.gbl...
> > Ok! I reallys suck at this so slow and easy please. :-/
>
> No problem - in fact if you work with me (especially) you
> will find I continuously encourage "BE SPECIFIC", SIMPLIFY,
> DIVIDE and CONQUER to solve 'hard problems.'
>
> > We have a firewall (linux) that does a portforward on port 80 to the
dmz
> > win 2k-machine where the webb and the dns is located.
>
> The DNS for the public resolution from the Internet?
> (If so, this would better be placed at the "Registrar" but for now
> let's continue.)
>
> If you are mixing Public and Privat DNS on one server (and
> are not a true expert) then you are just asking for trouble - that
> is ALMOST UNWORKABLE.
>
> > The rest of the
> > computers is "inside" the firewall, including the "main Win 2k computer"
> to
> > which all the work stations log on.
> >
> > Everything works fine, external computers can access the dmz win
> 2k-machine
> > webb fine, we can access the net from the inside , *but* we can only use
> the
> > address lan.company.com (or some alias) to access the dmz win 2k-machine
> > webb from the inside and *not* www.company.com. And that creates
problems
> > when we want to update our site and use absolute adresses.
>
> What about the rest of the Internet? Can the internal users resolve those
> names? If so you are likely using actual recursion or forwarding
correctly
> and the problem likely resides somewhere else.
>
> You haven't explained clearly which is your INTERNAL zone/domain
> name (lan.company.com?) and which is your EXTERNAL zone/domain
> for the web server (company.com)?
>
> Do you have a ZONE named "lan.company.com" or is that an alias
> for www.company.com (the web server itself)?
>
> If the latter, you likely don't have the PUBLIC resources listed
(manually)
> on the INTERNAL version of the zone/domain DNS servers.
>
> Having separate DNS server (set) for internal/external DNS that use the
> same zone/domain name is called "Shadow DNS" (aka: split DNS)
> and requires that you add ALL of the external resources you wish internal
> users to resolve to both the external AND the internal versions of the
zone.
>
> If you aren't using the same name, then you need to teach the internal
> DNS servers how to resolve "the Internet" (external names) -- the
> preferred way is to forward to an ISP (or intermediate firewall/DMZ
> DNS) that resolves the public names.
>
> Give the name of each zone
> Explain where each zone is held (which servers/where located)
> Explain how you resolve the Internet (if you can)
> Explain any forwarding you use
> Explain which DNS server(s) appear on all internal client (all machines
> really)
>
> Internal clients should use ONLY internal DNS servers (if you have
> them, and you almost certainly SHOULD have them.)
>
>
> --
> Herb Martin
>
>
> >
> > Don't know if I made it clearer...:-/
> >
> > /e
> >
> >
> > "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
> > news:%23$IyW0ffEHA.2764@TK2MSFTNGP11.phx.gbl...
> > > "Eric" <eric@hotmail.com> wrote in message
> > > news:ur8C#affEHA.4092@TK2MSFTNGP10.phx.gbl...
> > > > This is probably stupid, but we have a network with a firewall where
> the
> > > > webbserver is an IIS/Win 2k which is on the dmz. Everything works
fine
> > > > *except* for the internal computers where we have a problem with the
> > > domain.
> > > > Normaly it's www.company.com, we have an alias that's
lan.company.com
> > > > created with an alias that works but we would like to use the
regular
> > > > www.spider.se. The reason is that every webpage we create from the
> > > "inside"
> > > > can't use the same absolut links as from the "outside" which is
> > > disturbing.
> > >
> > > It's not a stupid question, but it isn't exactly clear where the
> > > problem is, or what you wish to accomplish that you cannot.
> > >
> > > What is your internal domain name?
> > >
> > > Do you have separate internal and external DNS servers?
> > >
> > > > I *think* you can do som sort of forwarding thing in the Win 2k dns
to
> > fix
> > > > this but I don't know how.
> > >
> > > The standard method is for all of the INTERNAL machines
> > > to be DNS clients of the internal DNS.
> > >
> > > The internal DNS then forwards to the ISP or the DMS/firewall
> > > DNS server which handles all public zone resolution.
> > >
> > >
> > > Internal DNS:
> > > DNS
> > > 1) Dynamic for the zone supporting AD
> > > 2) All internal DNS client NIC\IP properties must specify SOLELY
> > > that internal, dynamic DNS server (set.)
> > > 3) DCs and even DNS servers are DNS clients too -- see #2
> > >
> > > Restart NetLogon on any DC if you change any of the above that
> > > affects a DC.
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > Any ideas?
> > > >
> > > > /e
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: MyndPhlyp: "Re: Event 5782 from NETLOGON on server boot"
- Previous message: Eric: "Re: dns + firewall?"
- In reply to: Herb Martin: "Re: dns + firewall?"
- Next in thread: Jonathan de Boyne Pollard: "Re: dns + firewall?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
