DNS with same internal and external name issues

  • 179 Views
  • Last Post 15 February 2016
gustaav posted this 15 February 2016

Hello, can anyone tell me what are the best practices when configuring DNS records for same internal and external names. I have this situation now:   ·         Private IP: 10.1.1.1. Name: webserver.abc.com / www.abc.com ·         Public IP: 190.160.130.120. Name: www.abc.com   We have both IP’s registered with an “A” record in our internal DNS server. So we have 2 “A” records for the “www” name.

  But we have this issues:   ·         On internal networks, DNS resolution is really slow when trying to access to http://www.abc.com

·         On internal networks DNS resolution is fast when trying to access to http://webserver ·         On external networks DNS resolution is slow when tying to access to http://www.abc.com

·         If we remove the “A” record of the “www” to the public IP, this happens:

o   On internal networks, DNS resolution is fast when trying to access both http://webserver and http://www.abc.com

o   On external networks, when trying to access with a domain machine, http://www.abc.com doesn’t work at all.   Basically, we wanted that our URL addresses work transparently for users. We wanted to distribute one unique URL to users, not “use this URL if you are on an internal network and use this URL if you are on an external network”.

    Thanks in advance!  

Order By: Standard | Newest | Votes
Anthony.Vandenbossche posted this 15 February 2016

Gustavo,

 

If I understand correctly, you are hosting a website on your internal network that you want users to be able to access, wherever they are situated; internally or externally.

 

In that case, you should let Name Resolution do the work for you: internally you should create an A record for www.abc.com as well as one for abc.com (both pointing to the

internal IP, or the VIP if your website is loadbalanced).

Clients on the outside of the network should use ISP name resolution, both when you host your own domain and when the domain is hosted at a Hosting Provider. Therefor a www

record should exist on the internet, pointing towards one of your WAN IP addresses through which clients can access resources on your network on port 80 and/or 443

 

In addition, VPN/DirectAccess clients will use ISP resolution when disconnected from the corpnet, and corpnet Name Resoltion when connected.

 

Be sure to add the necessary IIS Bindings to the website, so that IIS knows which website to render based on the host header.

 



Mvg,

 

Anthony Van den bossche


System Engineer


Anthony.Vandenbossche@xxxxxxxxxxxxxxxx



Direct

+32 (0)2 801 54 59


Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which

is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s)

is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for

viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.



Description: Description: Think Green



 

show

kurtbuff posted this 15 February 2016

What you have is called "split brain DNS". There are several
possibilities, depending on how your environment is configured.

I do have a couple of questions:
1) Is the web site in question hosted on a single machine in-house?
That is, are you using your firewall to do NAT from the outside to get
access to the machine on the inside of your perimeter?
- If the answer to 1) is that the web site is hosted off site
only, then first, why are you using an internal address to refer to an
external web site, and second, don't do that - just use the external
address in your internal DNS.
- If the answer to 1) is no, and the site is hosted in two
places, well, first of all "why?", and second, don't do that - just
put it in one place, then see the following questions.
- If the answer to 1) is that the web site is hosted on site
only, then see the following questions

2) If the answer to 1) is yes, then is it expected that when
domain-joined machines are outside your perimeter (your firewall),
that they will still be able to get access to resources inside your
network?

3) If the answer to 2) is 'yes', how are the machines doing it -
MSFT's DirectAccess, or some other kind of VPN (usually SSL, but
possibly a mobile IPSec tunnel or L2TP/PPTP tunnel)?

4a) If the answer to 3) is MSFT's DirectAccess, then read up on making
exclusions on your DirectAccess gateway, and update the GPO that
governs the clients.

4b) If the answer to 3) is another vendor's VPN product (SSL VPN or
other as noted), then you'll want to consult with your vendor on how
to accomplish this.


Kurt

show

gustaav posted this 15 February 2016

Thanks for your response Anthony, I’ve tried this that you mention, but when I remove the “A” record for the public IP, everything seems to work OK, but we still have one last issue

as I mentioned before: if I connect on an external network with a domain computer, it doesn’t resolve the DNS at all; I think that, because the machine is in the “abc.com” domain, it looks over “internal” and not “external”.



 

I don’t know if I explain myself OK?

 

 

 

 





De: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

En nombre de Anthony Van den bossche


Enviado el: lunes, 15 de febrero de 2016 13:05


Para: ActiveDir@xxxxxxxxxxxxxxxx


Asunto: RE: [ActiveDir] DNS with same internal and external name issues





 

Gustavo,

 

If I understand correctly, you are hosting a website on your internal network that you want users to be able to access, wherever they are situated; internally

or externally.

 

In that case, you should let Name Resolution do the work for you: internally you should create an A record for

www.abc.com as well as one for abc.com (both pointing to the internal IP, or the VIP if your website is loadbalanced).

Clients on the outside of the network should use ISP name resolution, both when you host your own domain and when the domain is hosted at a Hosting Provider. Therefor

a www record should exist on the internet, pointing towards one of your WAN IP addresses through which clients can access resources on your network on port 80 and/or 443

 

In addition, VPN/DirectAccess clients will use ISP resolution when disconnected from the corpnet, and corpnet Name Resoltion when connected.

 

Be sure to add the necessary IIS Bindings to the website, so that IIS knows which website to render based on the host header.

 



Mvg,

 

Anthony Van den bossche


System Engineer


Anthony.Vandenbossche@xxxxxxxxxxxxxxxx



Direct

+32 (0)2 801 54 59


Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which

is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s)

is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for

viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.



Description: Description: Think Green



 

show

Anthony.Vandenbossche posted this 15 February 2016

Hey Gustavo,

 

Your Domain Computer does not have access to your company’s internal DNS servers when it’s connected to an external network (Home, Hotel, any Hotspot etc.)(unless for example

DirectAccess or any VPN solution is used). Thefor the Domain Computer should use the IP configuration it got from the DHCP server on the external network and perform Name Resolution on Internet DNS Servers. For example: my Computer is joined to contoso.local.

I am located at a Hotel via a hotspot and I wish to connect to the website inside my corporation. My laptop would use the DNS Servers from the ISP to resolve the Public IP address that you configured, so that requests are directed towards your Firewall and

through there towards the IIS Webserver.

 

To summarize:

 

On the corporate network: Client >> DNS Request towards corporate DNS Servers for www.abc.com >> DNS Server returns A record >> Client accesses IIS webserver on binding www.abc.com

Note: in your example you use abc.com as a Domain Name. If in fact you AD Domain Name is the same

as the website address, no split brain is needed. If you have a domain abc.local, split brain would be needed to resolve abc.com as well internally.

 

On the external network: Client >> DNS Request towards Router Gateway and forwarded to Internet DNS Servers for www.abc.com >> WAN/Public IP address returned >> Client directed

to the Firewall of your corporation >> Request forwarded to the Web Server >> Client accesses website.

Note:

requirements here are that you have a Public DNS record for your website that points to your Firewall and that the necessary firewalling, NATting , Reverse Proxying is performed to be

able to access the webserver.

 

Seems to me that you did not configure a Public DNS record for the website (and/or did not perform the necessary “networking” to make your website accessible publically.

 



Mvg,

 

Anthony Van den bossche


System Engineer


Anthony.Vandenbossche@xxxxxxxxxxxxxxxx



Direct

+32 (0)2 801 54 59


Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which

is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s)

is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for

viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.



Description: Description: Think Green



 

show

gustaav posted this 15 February 2016

Thanks for your response Anthony, and thanks Kurt also for your response.



 

Both of your answers made me think about the reason there was an “A” record in our DNS pointing the public IP. Some added it before for some reason and I don’t know why. But by deleting

this record everything worked well now.

 

Thanks again!

 

Gustavo

 





De: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

En nombre de Anthony Van den bossche


Enviado el: lunes, 15 de febrero de 2016 15:52


Para: ActiveDir@xxxxxxxxxxxxxxxx


Asunto: RE: [ActiveDir] DNS with same internal and external name issues





 

Hey Gustavo,

 

Your Domain Computer does not have access to your company’s internal DNS servers when it’s connected to an external network (Home, Hotel, any Hotspot etc.)(unless

for example DirectAccess or any VPN solution is used). Thefor the Domain Computer should use the IP configuration it got from the DHCP server on the external network and perform Name Resolution on Internet DNS Servers. For example: my Computer is joined to

contoso.local. I am located at a Hotel via a hotspot and I wish to connect to the website inside my corporation. My laptop would use the DNS Servers from the ISP to resolve the Public IP address that you configured, so that requests are directed towards your

Firewall and through there towards the IIS Webserver.

 

To summarize:

 

On the corporate network: Client >> DNS Request towards corporate DNS Servers for

www.abc.com >> DNS Server returns A record >> Client accesses IIS webserver on binding

www.abc.com

Note: in your example you use abc.com as a Domain Name. If in fact you

AD Domain Name is the same as the website address, no split brain is needed. If you have a domain abc.local, split brain would be needed to resolve abc.com as well internally.

 

On the external network: Client >> DNS Request towards Router Gateway and forwarded to Internet DNS Servers for

www.abc.com >> WAN/Public IP address returned >> Client directed to the Firewall of your corporation >> Request forwarded to the Web Server >> Client accesses website.

Note:

requirements here are that you have a Public DNS record for your website that points to your Firewall and that the necessary firewalling, NATting , Reverse Proxying is performed

to be able to access the webserver.

 

Seems to me that you did not configure a Public DNS record for the website (and/or did not perform the necessary “networking” to make your website accessible publically.

 



Mvg,

 

Anthony Van den bossche


System Engineer


Anthony.Vandenbossche@xxxxxxxxxxxxxxxx



Direct

+32 (0)2 801 54 59


Description: Description: C:\Users\BJTAF40\AppData\Roaming\Microsoft\Signatures\realdolmen_logo.gif



This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which

is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s)

is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for

viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.



Description: Description: Think Green



 

show

Close