DNS- pointing to local address

[ICBM]

To start, I know DNS is probably the most difficult thing to master in regards to ip networking. What I am trying to do is real simple, or it sounds simple.

I have a network of around 25 computers.

I have a webserver in this network, which the router forwards to.

When a local computer looks up my webpage, I want it to point to the LAN address, and not the WAN address.


Thats all I want to do. If I was just using one computer, I could just edit the hosts file. I would rather not do that though, especially since some machines are laptops and travel outside the LAN. I have a machine running Windows 2003 server. What would be neat is if the local computers could check a local dns, and if they don't find it, go the my isp dns, all the while building up DNS list locally.

I just started having problems this week. Before all my LAN machines were using the regular isp DNS servers without issue. However at the beginning of this, any local machine which tried to load our webpage would load it extremely slowly. Entering the local IP, and it was near instant. Entering the WAN IP, and its extremely slow as well. Any internet connection outside loads our page great. My solution was to have a local DNS point to the LAN address of the server, which is probably better anyways.

How can I do this? Can I use the Windows 2003 server?

 

[Crusty]

Well, depending on your firewall you can doctor the DNS responses to change the public to private. Otherwise you can load the zone you want to alter into Windows Server and manually change the record for the server in question to point to the local IP.

Since I don't have enough pubic IP's to 1-to-1 NAT our servers we use PAT, which makes it so you can't do the DNS doctoring so I use our Windows Server 2k8 DNS to load our public ZONE and alter the record. There might be a better way, but I needed to get it working sooner rather then later

 

[ICBM]

Do you think I should load the primary zone and play with that? Or is it more of a seconardy zone? I don't want to screw with our main domain hosting, which I did through dyndns, or is that not even an issue?

 

[Genx87]

Create a zone in your dns and add the webserver's a record but have it point internally.

Make sure you get all of the A records for this domain so you can deliver the ip addresses.

 

[Crusty]

Originally posted by: ICBM
Do you think I should load the primary zone and play with that? Or is it more of a seconardy zone? I don't want to screw with our main domain hosting, which I did through dyndns, or is that not even an issue?

The point is that internal users see a different zone then external users. So you don't change anything on your external DNS hosting, you load the zone into Windows as a primary zone and alter the A records to reflect your local IP's.

 

[Nothinman]

To start, I know DNS is probably the most difficult thing to master in regards to ip networking. What I am trying to do is real simple, or it sounds simple.

Actually DNS is extremely simple. There's some gotchas with things like syntax if you're editing zone files by hand but that's about it.

What it sounds like you want is a view. You can setup a DNS server (well, you can do this with BIND, not sure about Windows DNS) so that it hands out different addresses depending on what client requests the address. So internal people would get one answer and everyone else would get another.

 

[RebateMonger]

Originally posted by: ICBM
What would be neat is if the local computers could check a local dns, and if they don't find it, go the my isp dns, all the while building up DNS list locally.
....
....
How can I do this? Can I use the Windows 2003 server?

That's how DNS in Windows Server is normally set up. ALL pcs on the network (including the DNS Server itself) point to the Windows Server DNS for all lookups. If the Windows DNS can't find the address locally, then it forwards the request to an external DNS server (either the isp or using root servers). If you put an external DNS server in the "Forwarders" tab, then Windows Server looks there. If you leave the "Forwarders" tab blank, it uses Root Hints.

NEVER have an external (isp) DNS server in the DNS settings on local pcs. Have them all point to the network's DNS server.

If you need local pcs to go to a LAN address for a particular web site, you can create an "A" record in the Server's DNS to point them to the right place.

 

[ICBM]

Cool, this has really helped out. I will give it a shot and let you guys know how it goes. I may not get everything finished up until Monday, but I will be sure and follow up here.

 

[ICBM]

I have got it working nicely. I created the new zone with my domain, popped my domain in there and bingo. I then created the reverse lookup and pointer so nslookup looks tidy.

Question, do I want to use Forwarders or Root Hints? I am thinking Root Hints sounds like the best choice, but I don't know if there are any kind of rules or anything.

 

[Nothinman]

Realize now that you've got two places to maintain that domain now, one externally and one internally.

Question, do I want to use Forwarders or Root Hints? I am thinking Root Hints sounds like the best choice, but I don't know if there are any kind of rules or anything.

There's no real rules, it just depends on which servers you want to depend on.

 

[ICBM]

I think I have my final question as everything else is working great.

How can I have the DNS point http://webmail.example.com to https://webmail.wilcopeanut.com

With my dns service they call this webhop. Is there a similar service with the Windows DNS server?

 

[Crusty]

Well, http and https are different protocols and have nothing to do with DNS. More then likely what your DNS host is doing is hosting http://webmail.example.com with some web/proxy server and doing the redirect themselves.

It's trivial to do with Apache. I'm sure it's possible to do the same with Windows and IIS, but you'd probably have better luck getting answers on that in either the Software for Windows forum or Operating Systems.

 

[seepy83]

Originally posted by: Nothinman

Question, do I want to use Forwarders or Root Hints? I am thinking Root Hints sounds like the best choice, but I don't know if there are any kind of rules or anything.

There's no real rules, it just depends on which servers you want to depend on.

No rules...but I would suggest using Forwarders to the DNS Servers provided by your ISP. Most queries get answered faster by the Cache on the ISP's servers than they would by going out to the Root Servers. Also, from a security perspective, it is usually recommended to use Forwarders so that your internal DNS server does not directly query anything except a trusted external DNS server (i.e. your ISP's).

 

[Nothinman]

Also, from a security perspective, it is usually recommended to use Forwarders so that your internal DNS server does not directly query anything except a trusted external DNS server (i.e. your ISP's).

I would consider the root servers more reliable than any ISP's servers from a security standpoint.

 

[Tsaico]

Originally posted by: RebateMonger

Originally posted by: ICBM
What would be neat is if the local computers could check a local dns, and if they don't find it, go the my isp dns, all the while building up DNS list locally.
....
....
How can I do this? Can I use the Windows 2003 server?

That's how DNS in Windows Server is normally set up. ALL pcs on the network (including the DNS Server itself) point to the Windows Server DNS for all lookups. If the Windows DNS can't find the address locally, then it forwards the request to an external DNS server (either the isp or using root servers). If you put an external DNS server in the "Forwarders" tab, then Windows Server looks there. If you leave the "Forwarders" tab blank, it uses Root Hints.

NEVER have an external (isp) DNS server in the DNS settings on local pcs. Have them all point to the network's DNS server.

If you need local pcs to go to a LAN address for a particular web site, you can create an "A" record in the Server's DNS to point them to the right place.

I agree with this one. Generally, I also use my local DNS server as my primary, then one of the other ISP's DNS as a secondary in my DHCP pool. I found making sure you have your forwarder correct is a big step. It isn't too hard in Windows 2003 or 2000.

 

[ICBM]

That is what I was planning to do was assign my isp as the secondary dns server, while having my win2003 box as the primary. So far, everything seems to be going quicker. I may try using both root dns and my isp as a forwarder and see what people here in the office think. As far as security I will do a little more research.

In regards to the webmail.example.com, I may try setting a second ip to the interface, then have the router forward 80 to 443 on that ip for the https.