Re: Need Help from DNS Expert on Subdomain DNS Records
- From: razor <razor@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Jun 2007 10:36:03 -0700
Ah, that's what 'read inline' means. Sorry m8. I'll reply inline below.
Thanks for the help.
sd
"Kevin D. Goodknecht Sr. [MVP]" wrote:
Read inline please.I agree, but I am not a Cisco expert and that's what they told me. Anyway,
In news:509280B8-6130-4BE8-AA9A-B65176D491C2@xxxxxxxxxxxxx,
razor <razor@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
No. We host three websites on our webserver and this particualr one
that we are having issues with is not the same as our AD domain name.
When you use nslookup to resolve these names do you get the correct internal
IP addresses? Yes. Both the namespace and the sub resolve.
In addition, let's go in to further detail on your original post.
We have an issue with being able to access a domain and it's sub
domain from within and outside our firewall. We had it working with
our old firewall, but we changed firewalls Friday and now it won't
work.
Internally or externally? Only internally now that we changed the subdomain to a different IP than the parent in both IIS and DNS.
Here's our scenario: We have a namespace called 'domainname.com'
with a DNS Host A entry for the IP address associated with the name
of the website in our internal IIS server. We also have a sub
domain named, 'dev' that we used to have the same IP address as the
namespace, but since our new firewall will not allow more than one
public IP to point to the same private IP,
This is confusing, firewalls should not do this. If your talking about NAT
mapping, you should be able to map multiple public IPs to on private IP, now
you can not map one Public IP to more than one private IP. But the Private
IP should be able to have as many public IPs mapped to it as you want,
although it would seem to be a waste of Public IPs.
external is working now--so I believe we can exclude the firewall as a
culprit to our inability to access a website from within the LAN (behind the
firewall).
.
Now everything is whacky. Some of our clients inside the firewall
can access the 'dev' site and some cannot. Some can access the
parent
site and some cannot, and those that can connect, can only do so
intermittently.
You need to verify that the all DNS servers assigned to a the DNS Client be
able to resolve every name it needs to resolve to the correct IP address.
Some people attempt to have the Preferred and Alternate DNS resolve
different namespaces. I won't happen that way, the DNS client tends to stick
to the last DNS Server that responds. If one is an internal DNS and one is
an external DNS, this will get you into trouble because both cannot resolve
both the internal and external namespaces. *Good point* This is where is gets weird. When I do an Nslookup on the primary DNS server to the subdomain IP address, it resolves to a different name each time-until it finally resolves to the right name--which is really weird because we have no problem accessing the subdomain from a web browser. It's the parent that we can browse and that one resolved correctly on the DNS server first try! Confusing.
If we change the parent and the child Host A records to be the same
IP, we cannot access the child site from outside the LAN/Firewall
because of the new firewall policy with only one public IP per
private IP pointer.
Both the parent domain and child or sub domain IP addresses are in
the IIS server's TCP/IP properties in it's NIC card.
What do you mean "Both the parent domain and child or sub domain IP
addresses are in the IIS server's TCP/IP properties in it's NIC card"? We added the internal IP address of the subdomain to the NIC card on the IIS server and left the parent IP there as well.
Are they or are they not on the same IP address? No. The parent and the sub are differnt IP address now because of the firewall limitation. Before we switched firewalls they were the same and we had no problems.
NAT is 1 to 1 IP mapping, On Public IP to one private IP, you can't map one
public IP to two private IPs. But, you should be able to map two public IPs
to one private IP using standard NAT IP/port mapping. I'm out of my element there, but I will revisit that with Cisco again because that is where all this started.
- References:
- Re: Need Help from DNS Expert on Subdomain DNS Records
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Need Help from DNS Expert on Subdomain DNS Records
- From: razor
- Re: Need Help from DNS Expert on Subdomain DNS Records
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Need Help from DNS Expert on Subdomain DNS Records
- Prev by Date: Re: Zone Transfer between AD-I and non AD-I DNS
- Next by Date: Re: dns administration delegation
- Previous by thread: Re: Need Help from DNS Expert on Subdomain DNS Records
- Next by thread: Re: Removing one DNS server halts all internet resolution
- Index(es):
Relevant Pages
|
