Is this a split / shadow situation resolving non routable IPs without DNS authourity.

[John Sitka]

Hi,

Active Directory root zone is abccompany.com inside the firewall.
This (these) DNS server then uses forewarders to resolve Internet names.
But I need to resolve names for the DMZ webserver abc-company.com
which has the authouritative DNS server in the DMZ for abc-company.com.

So from the internet browser www.abc-company.com resolves fine to a static internet IP.
(our web server)
From behind the firewall I need to resolve www.abc-company.com to a non routable IP
192.168.x.x. This can be accomplished by each lan PC having an appropriate host entry.
But I would rather have the these entries statically resolved by the internal DNS Server.

The goal here is to have the external website resolve the same way from a client on the internet
as from clients behind the firewall.

I accidentally showed a fellow how conditional redirection could be used to make this work.
Now there are so many different asp. redirection pages I can't maintain these external virtual webs
without screaming.


externally
www.abc-company.com
www.def-company.com
www.ghi-company.com

all resolved by authouritative DNS in the DMZ to static Internet IP's

internally behind the firewall
www.abc-company.com 192.168.0.10
www.def-company.com 192.168.0.20
www.ghi-company.com 192.168.0.30

thanks

 

[Ace Fekay [MVP]]

In

Hi,

Active Directory root zone is abccompany.com inside the firewall.
This (these) DNS server then uses forewarders to resolve Internet
names. But I need to resolve names for the DMZ webserver abc-company.com
which has the authouritative DNS server in the DMZ for
abc-company.com.
So from the internet browser www.abc-company.com resolves fine to a
static internet IP. (our web server)
From behind the firewall I need to resolve www.abc-company.com to a
non routable IP 192.168.x.x. This can be accomplished by each lan PC
having an appropriate host entry. But I would rather have the these
entries statically resolved by the
internal DNS Server.
The goal here is to have the external website resolve the same way
from a client on the internet as from clients behind the firewall.

I accidentally showed a fellow how conditional redirection could be
used to make this work. Now there are so many different asp. redirection
pages I can't
maintain these external virtual webs without screaming.


externally
www.abc-company.com
www.def-company.com
www.ghi-company.com

all resolved by authouritative DNS in the DMZ to static Internet IP's

internally behind the firewall
www.abc-company.com 192.168.0.10
www.def-company.com 192.168.0.20
www.ghi-company.com 192.168.0.30

thanks

Confusion: Is the internal "abccompany.com" or "abc-company.com"?

I'm going to assume both are abc-company.com since you refer to that name
multiple times.

I wouldn't use hosts files. It's tedious. Under your internal
abc-company.com zone just create a www entry and provide the internal
private IP of the webserver. This will work assuming you are only using the
internal DNS servers for all internal machines (as it should be with an AD
infrastructure).

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

 

[John Sitka]

Wow thanks for the help in this and the other group, really feel I'm making progress.
Internal is abccompany.com
External is abc-company.com DNS server for abc-company.com is in our DMZ as well as that web host.
(This is the single example, reality is there are multiple externals def-company.com, ghi-company.com)

nodash = INTERNAL AD
dash = EXTERNAL

there are two AD DCs each with a DNS server and each containing AD integrated zones for abccompany.com (the internal lan domain)

both of these use forwarders to our ISP's DNS, there are some here who get internet access and some who use a proxy and some
who get none.

So if an internal client needs to get to the DMZ located web server, they can get there with no name via 192.168.0.10.
if they request www.abc-company .com it won't work because that would go first to the ISP's DNS which would find the external facing
IP
which not everybody is allowed to go to. So rather than make a bunch of left turn routing rules on the firewalls. I just need
to have the internal DNS serve up www.abc-company.com as 192.168.0.10...

When I said you gave me a clue in the other thread, delegate, this is what I came up with.
It may be wrong in a lot of ways but I'm hoping it will help in the understanding.



On Internal DNS
put in a new Zone abc-company.com (external) then right click that zone -> new delegation
and use the wizard to point it to the actual authoritative nameserver in the DMZ for abc-company.com
Then
Include another zone called www.abc-company.com with no names (data) and a single
entry 192.168.0.10

The idea is the internal nameserver answers for www.abc-company.com ONLY and only
for the clients who use the DC DNS server pair

all other abc-comapny.com requests; mail.abc-company.com for example would be handled by
the authoritative DNS server for abc-company.com

The first part is called delegation. (thanks to ACE FEKAY)

The second part is called a split brain DNS. Two DNS both with the same name for the zone, and both primary
but ONE is extremely limited even to the point on a single range which is in effect a single host!! and serving
a small group of clients. The other is out on the WEB and handles ALL other requests, even ones from
internal clients via forwarding.

 

[John Sitka]

Just to clarify, this is where I'm in the dark about how this works

()

I don't know how a zone and a host can result in the same thing because www is indeed a RR but I keep reading that it will somehow
work out, I guess I need to try it and see, not my authority though so I have to come up with the plan first before I present
it.

 

[Ace Fekay [MVP]]

In

Just to clarify, this is where I'm in the dark about how this works

(
)

I don't know how a zone and a host can result in the same thing
because www is indeed a RR but I keep reading that it will somehow
work out, I guess I need to try it and see, not my authority though
so I have to come up with the plan first before I present it.

John,

No prob for the help. This is not really a split zone at all. But if you
want to get to it internally because you are hosting the website internally
( the web server is on a private IP), then you will have to create the
external zone internally and give it the internal private IP. No way really
around that for the inside folks.

Hosts files are dinosaur. DNS was designed as a database of names to IP
or reverse, to replace hosts files.

Ace

 

[Ace Fekay [MVP]]

In

Wow thanks for the help in this and the other group, really feel I'm
making progress. Internal is abccompany.com
External is abc-company.com DNS server for abc-company.com is in our
DMZ as well as that web host. (This is the single example, reality is
there are multiple externals def-company.com, ghi-company.com)
nodash = INTERNAL AD
dash = EXTERNAL

there are two AD DCs each with a DNS server and each containing AD
integrated zones for abccompany.com (the internal lan domain)
both of these use forwarders to our ISP's DNS, there are some here
who get internet access and some who use a proxy and some who get none.

So if an internal client needs to get to the DMZ located web server,
they can get there with no name via 192.168.0.10. if they request
www.abc-company .com it won't work because that would
go first to the ISP's DNS which would find the external facing IP
which not everybody is allowed to go to. So rather than make a bunch
of left turn routing rules on the firewalls. I just need to have the
internal DNS serve up www.abc-company.com as
192.168.0.10...
When I said you gave me a clue in the other thread, delegate, this is
what I came up with. It may be wrong in a lot of ways but I'm hoping it
will help in the
understanding.


On Internal DNS
put in a new Zone abc-company.com (external) then right click that
zone -> new delegation and use the wizard to point it to the actual
authoritative nameserver
in the DMZ for abc-company.com Then
Include another zone called www.abc-company.com with no names (data)
and a single entry 192.168.0.10

The idea is the internal nameserver answers for www.abc-company.com
ONLY and only for the clients who use the DC DNS server pair

all other abc-comapny.com requests; mail.abc-company.com for example
would be handled by the authoritative DNS server for abc-company.com

The first part is called delegation. (thanks to ACE FEKAY)

The second part is called a split brain DNS. Two DNS both with the
same name for the zone, and both primary but ONE is extremely limited even
to the point on a single range
which is in effect a single host!! and serving a small group of clients.
The other is out on the WEB and handles ALL
other requests, even ones from internal clients via forwarding.

Well, it is kind of a split zone, but usually use that term to indicate the
AD zone is the same as the public domain name. That is not your case, but
you need to provide a way for your internal folks to get to the website
using the private IP, so in essence it becomes a split zone. In this
scenario you won't need a delegation, just manually creating the external
zone name internally.

Make sense?

Ace

 

[John Sitka]

Well, it is kind of a split zone, but usually use that term to indicate the AD zone is the same as the public domain name. That

is not your case, but you need to provide a way for your internal folks to get to the website using the private IP, so in essence
it becomes a split zone. In this scenario you won't need a delegation, just manually creating the external zone name internally.

Make sense?

Ace

Are you kidding me! I'm so amped over this I can't tell you

A perfect learning experience....
make mistakes, keep trying, get mad, keep asking, keep reading.

And the motivation came from a pure gut feel that there is no way we should be having to chop
up or enhance these websites just so they both work inside and outside. It just seemed like
a stupid way to solve a simple problem.

Last night before a read your reply, I went to see our IT guy, he was messing around with
those redirectors in asp code I was talking about, moving websites around etc.
I said "Did you read my DNS email?"
He said he didn't try it because I wrote it was "untested."
I kind of laughed explained I don't have a similar network topography back at my apartment
so I thought we (meaning him) would be excited to test it at the enterprise.

Anyways after some practice/test working together with less critical zones, we got it working, created a dozen or so zones
that resolved to a single IP and there we go, hundreds of hours in accrued work and maintenance saved.

Ace, you understood this post exactly and I quickly found out that a delegate was not required.

just manually creating the external zone name internally.

And that's all it took.

I never saw it all these years (dealing with DNS is a twice yearly event for me, at most)
because it didn't piece together how an unnamed A RR would resolve to an IP.


Thanks.

 

[the principal]

there is one slight clarity, that just came to me.

Ace says

-- just manually creating the external zone name internally.

true....

but the thought process and hurdle I couldn't get over was that the
goal here wasn't to resolve 123.www.abc-company.com or
456.www.abc-company.com or 789.www.abc-company.com etc. which fits an
idea of a zone, The goal was just a single end point
www.abc-company.com. hence the single unnamed A record in the zone
www.abc-company.com works


New Zone via wizard, Primary www.abc-company.com
Right Click the newly created zone -> New Host
Name -> blank
IP -> 192.168.0.10
"are you sure you want to create the record with a blank name?"

Yes please

result Record type A, Name = same as parent folder, Data = 192.168.0.10

 

[Ace Fekay [MVP]]

In

there is one slight clarity, that just came to me.

Ace says

-- just manually creating the external zone name internally.

true....

but the thought process and hurdle I couldn't get over was that the
goal here wasn't to resolve 123.www.abc-company.com or
456.www.abc-company.com or 789.www.abc-company.com etc. which fits an
idea of a zone, The goal was just a single end point
www.abc-company.com. hence the single unnamed A record in the zone
www.abc-company.com works


New Zone via wizard, Primary www.abc-company.com
Right Click the newly created zone -> New Host
Name -> blank
IP -> 192.168.0.10
"are you sure you want to create the record with a blank name?"

Yes please

result Record type A, Name = same as parent folder, Data =
192.168.0.10

For a single record like www.something.com, creating that as a zone and
creating a blank named entry, is the easiest way to do it.



Ace

 

[Ace Fekay [MVP]]

In

Are you kidding me! I'm so amped over this I can't tell you

A perfect learning experience....
make mistakes, keep trying, get mad, keep asking, keep reading.

And the motivation came from a pure gut feel that there is no way we
should be having to chop up or enhance these websites just so they both
work inside and
outside. It just seemed like a stupid way to solve a simple problem.

Last night before a read your reply, I went to see our IT guy, he was
messing around with those redirectors in asp code I was talking about,
moving websites
around etc. I said "Did you read my DNS email?"
He said he didn't try it because I wrote it was "untested."
I kind of laughed explained I don't have a similar network topography
back at my apartment so I thought we (meaning him) would be excited to
test it at the
enterprise.
Anyways after some practice/test working together with less critical
zones, we got it working, created a dozen or so zones that resolved
to a single IP and there we go, hundreds of hours in accrued work and
maintenance saved.
Ace, you understood this post exactly and I quickly found out that a
delegate was not required.

And that's all it took.

I never saw it all these years (dealing with DNS is a twice yearly
event for me, at most) because it didn't piece together how an unnamed A
RR would resolve to
an IP.

Thanks.

It's amazing how the solution can be so simple, but very easily overlooked.

My pleasure, John. Glad to help out.

Now go and relaz with a Crown on the rocks, or a martini or something...



Ace