Alias through DNS

[DNSer]

I run a shop with W2K3 AD integrated DNS. I also host an Exchange 2003
server.

We have a CISCO Firewall in the network and until recently I used DNS
doctoring (aliasing) to redirect requests from my inside users for the
publicly registered email server In other words, I had a firewall
rule that specified my publicly registered email server (MX), i.e.
mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
great --there were no problems with name resolutions and email. After
maintenance on the firewall, this DNS doctoring stopped working
altogether.

This has become a real annoyance since I have a lot of branch office
and mobile users
who visit the main office and can not access email because the mail
host is named differently on the inside from the public email name.
And without changing settings in their mail client and \ or providing a
"new" address for their OWA, they cannot get to their email.

I've troubleshot the problem with CISCO -- there's no way to recapture
the functionality without changing hardware -- not a very practical
solution. I've thought there may be a way
to do it in DNS with the use of CNAME RR. But I've also heard there
may be problems
using cname references for mail servers.

Does anyone have experience with this type of problem and if so, how
did you resolve it?
Any advice or guidance is greatly appreciated.

DNSer

 

[Kurt]

If your inside DNS only services your inside clients, it seems like you
should be able to create a mydomain.com lookup zone on your local server,
create whatever records you need for www, ftp, mail, etc. that are also
externally resolvable, and point the MX record for that domain to
mail.inside.mydomain.com.

....kurt

 

[Kevin D. Goodknecht Sr. [MVP]]

I run a shop with W2K3 AD integrated DNS. I also host an Exchange
2003 server.

We have a CISCO Firewall in the network and until recently I used DNS
doctoring (aliasing) to redirect requests from my inside users for the
publicly registered email server In other words, I had a firewall
rule that specified my publicly registered email server (MX), i.e.
mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
great --there were no problems with name resolutions and email. After
maintenance on the firewall, this DNS doctoring stopped working
altogether.

This has become a real annoyance since I have a lot of branch office
and mobile users
who visit the main office and can not access email because the mail
host is named differently on the inside from the public email name.
And without changing settings in their mail client and \ or providing
a "new" address for their OWA, they cannot get to their email.

I've troubleshot the problem with CISCO -- there's no way to recapture
the functionality without changing hardware -- not a very practical
solution. I've thought there may be a way
to do it in DNS with the use of CNAME RR. But I've also heard there
may be problems
using cname references for mail servers.

Tell me you aren't hosting the Public zone for your public domain on your
internal DNS server and whether the internal domain is or is not the same
name as your public domain. MX records should never give a CNAME for an SMTP
server, the MX record should give the A record name that the SMTP server
uses in its EHLO/HELO greeting.

Does anyone have experience with this type of problem and if so, how
did you resolve it?

I'm going to assume that the internal domain name is not the same as your
public domain, you need to create a forward lookup zone with the
fully-qualified name that you use from the external DNS server, e.g.
"mail.mydomain.com" in that zone create one new host, leave the name field
blank and give it the internal IP of the mail server. Make sure you give
this record a TTL of 15 minutes or less, assuming 15 minutes is the minimum
time it takes for mobile users to move from the internal network to an
external network, you might even use a lower TTL or even a 0 TTL so the
internal record does not get cached at all, but that puts extra load on your
DNS server.

 

[DNSer]

I will try it Kevin. Thanks,
-- DNSer

Tell me you aren't hosting the Public zone for your public domain on your
internal DNS server and whether the internal domain is or is not the same
name as your public domain. MX records should never give a CNAME for an SMTP
server, the MX record should give the A record name that the SMTP server
uses in its EHLO/HELO greeting.


I'm going to assume that the internal domain name is not the same as your
public domain, you need to create a forward lookup zone with the
fully-qualified name that you use from the external DNS server, e.g.
"mail.mydomain.com" in that zone create one new host, leave the name field
blank and give it the internal IP of the mail server. Make sure you give
this record a TTL of 15 minutes or less, assuming 15 minutes is the minimum
time it takes for mobile users to move from the internal network to an
external network, you might even use a lower TTL or even a 0 TTL so the
internal record does not get cached at all, but that puts extra load on your
DNS server.