DNS Delegation for internal and external domains
Recently I had a DNS problem with one of my domains. I had been hosting some of my personal stuff for the company I work for. Due to various reasons, I ended up moving the DNS administration and email functions of my site to godaddy.com. However, this site was still hosted at my primary place of business. This led to an interesting DNS problem. Because the web server is sitting behind the firewall with a private address, I can't access the server via it's public address. Therefore if I am inside my company's lan, then I need beyondpictures.com and www.beyondpictures.com to resolve to an internal address. If I am outside the company, then I need all entries for the domain (mail, www, etc.) to return the normal external address. The latter part is not a problem. It's getting it to work internally that was the issue. I tried to set up a primary domain on our internal server, but I don't want maintain the list of external subdomains in two places. Basically, I wanted to set up a few internal subdomains, and delegate ALL OTHERS to the external DNS server. Unfortunately, delegating a wildcard subdomain (*) does not work. The solution was to set up an internal domain and within that domain, delegations for all subdomains I wanted to return external records. It's not perfect, because if I add another subdomain, I have to add another delegation internally, but at least I don't have to maintain the addresses in two different places. Below is my post copied from groups.google.com, the microsoft.public.windows.server.dns group:
Do I use delgation records for this?
All 6 messages in topic - view as tree
From: rolf...@gmail.com - view profile
Date: Mon, Mar 20 2006 1:30 pm
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
I am not a DNS expert by any means. I am trying to figure out how to
accomplish something. I have a web server on my local lan. If I want
to get the the web site, I type www.abc.com, and my internal dns server
resolves that to 10.x.x.x (private address). However, only www is
hosted internally. The mail system for this domain is handled outside
the company, and the authoritative zone is outside the company.
Because I can't access the external interface of the website from the
lan due to the way it is nat'd through the firewall, I need to be able
to have www return a 10.x.x.x address and everything else use the
actual authoritative dns server and return a public IP address.
Currently I have a primary zone for abc.com on my internal DNS server
that handles www. I then tried to add a * delegation record to point
everything else to the external (authoritative) DNS server. Am I going
about this the right way? It doesn't seem to work.
Reply
From: Herb Martin - view profile
Date: Mon, Mar 20 2006 3:36 pm
Email: "Herb Martin"
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
No.
wrote in message
news:1142886633.708835.91070@e56g2000cwe.googlegroups.com...
>I am not a DNS expert by any means. I am trying to figure out how to
> accomplish something. I have a web server on my local lan. If I want
> to get the the web site, I type www.abc.com, and my internal dns server
> resolves that to 10.x.x.x (private address). However, only www is
> hosted internally. The mail system for this domain is handled outside
> the company, and the authoritative zone is outside the company.
Do you have the zone BOTH inside and outside OR JUST outside?
If you have it in both places (Shadow DNS) then you much add
EVERY external record to the Internal version of the zone.
If you ONLY wish to support a (small) subset of the external
records with DIFFERENT answers (i.e., internal addresses)
then you create an INTERNAL ZONE for the ACTUAL NAME
(nothing gets delegated even in this case.)
So the zone for www.abc.com would be that ENTIRE name including
the www portion.
You would then create a BLANK name address records (because the
www part is already in the zone name) and give it the Address
of the web server.
What you end up with using this scheme is a separate (undelegated)
zone for every record you wish to override.
> Because I can't access the external interface of the website from the
> lan due to the way it is nat'd through the firewall, I need to be able
> to have www return a 10.x.x.x address and everything else use the
> actual authoritative dns server and return a public IP address.
> Currently I have a primary zone for abc.com on my internal DNS server
> that handles www. I then tried to add a * delegation record to point
> everything else to the external (authoritative) DNS server. Am I going
> about this the right way? It doesn't seem to work.
No, in this case you are using SHADOW DNS where you must
add every* record from the external zoned to the Internal version
of the zone (* if you wish internal users to use that record/resource.)
You have two versions of the domain (used to prevent the internal
records from 'leaking' out onto the Internet but while still allowing
internal users to resolve BOTH internal and external records.)
Just make ALL of those records you wish internal users to be able
to access.
Usually it's not many -- Web, SMTP, maybe EMail etc.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Reply Rate this post: Text for clearing space
From: rolf...@gmail.com - view profile
Date: Mon, Mar 20 2006 4:18 pm
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
Thanks for your response. I had thought of this approach, and it is
probably the direction I will go. The drawback I can see from this,
however, is that I will not able to access abc.com internally, only
www.abc.com. This is not a huge deal, but it would be nice to do both.
This is why I was wondering if I could actually create the primary
zone for abc.com internally, then add both blank and www records that
point to the internal address of the web server, and tell it for
everything else, use a different external dns server.
I do not manage any external records for this domain - all queries made
from the internet will be handled by the external third-party.
Reply
From: Herb Martin - view profile
Date: Mon, Mar 20 2006 7:09 pm
Email: "Herb Martin"
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
wrote in message
news:1142896733.445372.145070@e56g2000cwe.googlegroups.com...
> Thanks for your response. I had thought of this approach, and it is
> probably the direction I will go. The drawback I can see from this,
> however, is that I will not able to access abc.com internally, only
> www.abc.com.
If you are NOT running Active Directory then the Shadow
DNS (you seem to be using) with two versions of the zone
WILL allow you to get to the abc.com server without a
computer specific (left) tag.
With AD, the problem is NOT DNS but rather than ALL
DCs register the bare-base name and so they interfere
with using that name (e.g., for a web server) and so people
must type the full (prefixed) name.
Not a big deal since with modern browsers you just teach
people to type "abc" and let the browser prefix
and suffix the extra stuff.
> This is not a huge deal, but it would be nice to do both.
> This is why I was wondering if I could actually create the primary
> zone for abc.com internally, then add both blank and www records that
> point to the internal address of the web server, and tell it for
> everything else, use a different external dns server.
Yes, you certainly can do that -- you have abc.com internall
it is called Shadow (aka Split) DNS.
BUT the DCs for Active Directory are the issue for most
people (on these newsgroups.)
> I do not manage any external records for this domain - all queries made
> from the internet will be handled by the external third-party.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
- Hide quoted text -
- Show quoted text -
Reply Rate this post: Text for clearing space
From: rolf...@gmail.com - view profile
Date: Fri, Mar 24 2006 7:49 am
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
It is not an AD integrated zone, so under normal circumstances, yes,
abc.com and www.abc.com would not be a problem. However, if I
understood your previoius post you were suggesting to make zones for
each subdomain I wanted private addresses for (www.abc.com,
mail.abc.com, etc.) Then everything else would be handled by the
outside dns server. If this is the case, then I have no internal zone
for abc.com, and therefore have no inside zone to add a record to point
to abc.com - when someone types that in internally it will resolve the
external address and therefore they can't get to it.
Sorry if I am just being too much of a newbie - I am not familliar with
Shadow, or Split DNS. Is this just a logical term, or is it set up in
Windows DNS specifically to be a shadow or split DNS with some option
somewhere?
Reply
From: rolf...@gmail.com - view profile
Date: Fri, Mar 24 2006 9:01 am
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
Ok, here is my solution - create a primary zone for abc.com and create
delegated subdomains (not additional zones) for each record that I want
handled externally. Then I create my own A, cname, or other records
inside the zone for records I want handled internally. This seems to
work OK. I just wish I could get a wildcard delegation to work.
At least this way I don't have to maintain a copy of all of the
external records and update them when they change. This also keeps my
own DNS cleaner, as I only have one zone with delegated subdomains as
opposed to multiple zones. I will have to create a delegation record
each time soemthing is added to the external zone however.
Do I use delgation records for this?
All 6 messages in topic - view as tree
From: rolf...@gmail.com - view profile
Date: Mon, Mar 20 2006 1:30 pm
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
I am not a DNS expert by any means. I am trying to figure out how to
accomplish something. I have a web server on my local lan. If I want
to get the the web site, I type www.abc.com, and my internal dns server
resolves that to 10.x.x.x (private address). However, only www is
hosted internally. The mail system for this domain is handled outside
the company, and the authoritative zone is outside the company.
Because I can't access the external interface of the website from the
lan due to the way it is nat'd through the firewall, I need to be able
to have www return a 10.x.x.x address and everything else use the
actual authoritative dns server and return a public IP address.
Currently I have a primary zone for abc.com on my internal DNS server
that handles www. I then tried to add a * delegation record to point
everything else to the external (authoritative) DNS server. Am I going
about this the right way? It doesn't seem to work.
Reply
From: Herb Martin - view profile
Date: Mon, Mar 20 2006 3:36 pm
Email: "Herb Martin"
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
No.
news:1142886633.708835.91070@e56g2000cwe.googlegroups.com...
>I am not a DNS expert by any means. I am trying to figure out how to
> accomplish something. I have a web server on my local lan. If I want
> to get the the web site, I type www.abc.com, and my internal dns server
> resolves that to 10.x.x.x (private address). However, only www is
> hosted internally. The mail system for this domain is handled outside
> the company, and the authoritative zone is outside the company.
Do you have the zone BOTH inside and outside OR JUST outside?
If you have it in both places (Shadow DNS) then you much add
EVERY external record to the Internal version of the zone.
If you ONLY wish to support a (small) subset of the external
records with DIFFERENT answers (i.e., internal addresses)
then you create an INTERNAL ZONE for the ACTUAL NAME
(nothing gets delegated even in this case.)
So the zone for www.abc.com would be that ENTIRE name including
the www portion.
You would then create a BLANK name address records (because the
www part is already in the zone name) and give it the Address
of the web server.
What you end up with using this scheme is a separate (undelegated)
zone for every record you wish to override.
> Because I can't access the external interface of the website from the
> lan due to the way it is nat'd through the firewall, I need to be able
> to have www return a 10.x.x.x address and everything else use the
> actual authoritative dns server and return a public IP address.
> Currently I have a primary zone for abc.com on my internal DNS server
> that handles www. I then tried to add a * delegation record to point
> everything else to the external (authoritative) DNS server. Am I going
> about this the right way? It doesn't seem to work.
No, in this case you are using SHADOW DNS where you must
add every* record from the external zoned to the Internal version
of the zone (* if you wish internal users to use that record/resource.)
You have two versions of the domain (used to prevent the internal
records from 'leaking' out onto the Internet but while still allowing
internal users to resolve BOTH internal and external records.)
Just make ALL of those records you wish internal users to be able
to access.
Usually it's not many -- Web, SMTP, maybe EMail etc.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Reply Rate this post: Text for clearing space
From: rolf...@gmail.com - view profile
Date: Mon, Mar 20 2006 4:18 pm
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
Thanks for your response. I had thought of this approach, and it is
probably the direction I will go. The drawback I can see from this,
however, is that I will not able to access abc.com internally, only
www.abc.com. This is not a huge deal, but it would be nice to do both.
This is why I was wondering if I could actually create the primary
zone for abc.com internally, then add both blank and www records that
point to the internal address of the web server, and tell it for
everything else, use a different external dns server.
I do not manage any external records for this domain - all queries made
from the internet will be handled by the external third-party.
Reply
From: Herb Martin - view profile
Date: Mon, Mar 20 2006 7:09 pm
Email: "Herb Martin"
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author
news:1142896733.445372.145070@e56g2000cwe.googlegroups.com...
> Thanks for your response. I had thought of this approach, and it is
> probably the direction I will go. The drawback I can see from this,
> however, is that I will not able to access abc.com internally, only
> www.abc.com.
If you are NOT running Active Directory then the Shadow
DNS (you seem to be using) with two versions of the zone
WILL allow you to get to the abc.com server without a
computer specific (left) tag.
With AD, the problem is NOT DNS but rather than ALL
DCs register the bare-base name and so they interfere
with using that name (e.g., for a web server) and so people
must type the full (prefixed) name.
Not a big deal since with modern browsers you just teach
people to type "abc
and suffix the extra stuff.
> This is not a huge deal, but it would be nice to do both.
> This is why I was wondering if I could actually create the primary
> zone for abc.com internally, then add both blank and www records that
> point to the internal address of the web server, and tell it for
> everything else, use a different external dns server.
Yes, you certainly can do that -- you have abc.com internall
it is called Shadow (aka Split) DNS.
BUT the DCs for Active Directory are the issue for most
people (on these newsgroups.)
> I do not manage any external records for this domain - all queries made
> from the internet will be handled by the external third-party.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
- Hide quoted text -
- Show quoted text -
Reply Rate this post: Text for clearing space
From: rolf...@gmail.com - view profile
Date: Fri, Mar 24 2006 7:49 am
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
It is not an AD integrated zone, so under normal circumstances, yes,
abc.com and www.abc.com would not be a problem. However, if I
understood your previoius post you were suggesting to make zones for
each subdomain I wanted private addresses for (www.abc.com,
mail.abc.com, etc.) Then everything else would be handled by the
outside dns server. If this is the case, then I have no internal zone
for abc.com, and therefore have no inside zone to add a record to point
to abc.com - when someone types that in internally it will resolve the
external address and therefore they can't get to it.
Sorry if I am just being too much of a newbie - I am not familliar with
Shadow, or Split DNS. Is this just a logical term, or is it set up in
Windows DNS specifically to be a shadow or split DNS with some option
somewhere?
Reply
From: rolf...@gmail.com - view profile
Date: Fri, Mar 24 2006 9:01 am
Email: rolf...@gmail.com
Groups: microsoft.public.windows.server.dns
Not yet rated
Rating:
show options
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse | Find messages by this author
Ok, here is my solution - create a primary zone for abc.com and create
delegated subdomains (not additional zones) for each record that I want
handled externally. Then I create my own A, cname, or other records
inside the zone for records I want handled internally. This seems to
work OK. I just wish I could get a wildcard delegation to work.
At least this way I don't have to maintain a copy of all of the
external records and update them when they change. This also keeps my
own DNS cleaner, as I only have one zone with delegated subdomains as
opposed to multiple zones. I will have to create a delegation record
each time soemthing is added to the external zone however.
posted by Josh at 2:22 PM
0 comments
