Internal External Domain Name

[Guest]

I am currently running SBS2003 behind a Pix firewall and a VPN Concentrator
with NAT. I have an external registered domain name for our E-mail that
points to the external address of our SBS server.

I created a separate internal domain name for our network. Lets call it
abc.com.
Now (3 years later) I realize that I should have named it abc.local or
something else.

I want to register abc.com to prevent somone else from registering the name.

If I register abc.com, will it cause DNS problems for my internal network
users? Will it automaticall know to check the local internal DNS server to
resolve to the local address, or will it potentially attempt to resolve to
the external web address?

All users have direct access to the internet through th PIX firewall.

DHCP is configured to put our internal SBS server as the primary DNS server
and an internet server as the secondary server.

I don't plan to use abc.com for any web access, or mail. I just want to
park it so it is reserved.

Our users do use the VPN client to access our network remotely, but our VPN
client is configured to connect directly to the VPN concentrator via IP
address so I am assuming that VPN should not have a problem resolving to the
internal server.

I hope my question is clear. If not please let me know if you need
additional information.

Thanks for your help.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am currently running SBS2003 behind a Pix firewall and
a VPN Concentrator with NAT. I have an external
registered domain name for our E-mail that points to the
external address of our SBS server.

I created a separate internal domain name for our
network. Lets call it abc.com.
Now (3 years later) I realize that I should have named it
abc.local or something else.

I want to register abc.com to prevent somone else from
registering the name.

If I register abc.com, will it cause DNS problems for my
internal network users? Will it automaticall know to
check the local internal DNS server to resolve to the
local address, or will it potentially attempt to resolve
to the external web address?

All users have direct access to the internet through th
PIX firewall.

DHCP is configured to put our internal SBS server as the
primary DNS server and an internet server as the
secondary server.

I don't plan to use abc.com for any web access, or mail.
I just want to park it so it is reserved.

Our users do use the VPN client to access our network
remotely, but our VPN client is configured to connect
directly to the VPN concentrator via IP address so I am
assuming that VPN should not have a problem resolving to
the internal server.

I hope my question is clear. If not please let me know
if you need additional information.

It won't cause a problem for the internal users. Internal users should never
get a direct look at the public name space. It may cause a problem for the
VPN users, since they must go through the public namespace to get to the
internal namespace. But putting the proper delegations in the public zone
will make it seamless.

 

[Guest]

Thanks for the information. I'm not sure I understand "proper delegations
in the public zone" but I am assuming that since the IP address of our VPN
concentrator is hardcoded into our VPN clients, our VPN connection will not
use the public namespace to find our network. Is this a valid assumption?

Thanks again for taking the time to help.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks for the information. I'm not sure I understand
"proper delegations in the public zone" but I am assuming
that since the IP address of our VPN concentrator is
hardcoded into our VPN clients, our VPN connection will
not use the public namespace to find our network. Is
this a valid assumption?

Thanks again for taking the time to help.

This is a bad assumption, while you have the internal DNS hardcoded in the
VPN client, you must first connect to the internet before the VPN client can
connect. It is when you have made this connection that you can possibly
cache conflicting NS records for the domain name. This is what causes
connection failures to internal resources.
You can use hosts files to make sure the correct internal hosts addresses
are loaded in the cache. You can also make delegations in the public zone
for names in the internal DNS using the private IP of the internal DNS in
the delgation.
This delegation is useless until the the VPN is connected because the
delegation is to an internal address that should not be routable over the
internet.
Of course this delegation is only secure as your firewall is at keeping
un-authorised, not-authenticed users out.

Since you don't have a public site on this address, the only time the public
zone should be queried is for your VPN clients. I would delegate these name
in the public zone. Make these delegations to the private address.
_msdcs
_sites
_tcp
_udp

There is an article that tells you how to set this up.
Integrating Your Active Directory Namespace Into an Existing DNS
Infrastructure With Name Overlap:
http://www.microsoft.com/windows200...ios/dns04_integ_adnspace_with_nameoverlap.asp