Skip to main content

DNS - Access inside web server with NATed address.

More
17 years 1 month ago #23459 by Smurf
Yes, so in affect you'll be managing an internal dns for your services using your public FQDN pointing to internal ip addresses and your ISP will be managing your public FQDN pointing to your public ip addresses (which is in affect the same server).

You will just need to make sure that you add all the necessary records to your internal dns.

I.e. if you have a webserver that hosts a website, ftp site and your FH, if its the same server hosting all this then you would setup something like;

External DNS;

A Record for webserver.mydomain.com --> w.x.y.z (whatever your public address is)
CNAME Record for fh.mydomain.com --> webserver.mydomain.com
CNAME Record for www.mydomain.com --> webserver.mydomain.com
CNAME Record for ftp.mydomain.com --> webserver.mydomain.com

Your nat would then take w.x.y.z --> 10.10.10.10 for example;

Then Internal DNS, setup a zone for mydomain.com as follows;

A Record for webserver.mydomain.com --> 10.10.10.10
CNAME Record for fh.mydomain.com --> webserver.mydomain.com
CNAME Record for www.mydomain.com --> webserver.mydomain.com
CNAME Record for ftp.mydomain.com --> webserver.mydomain.com

Its very important that it mirrors you external records but using your internal addresses otherwise internal hosts will loose access to something. Also, if you have a service provided by your ISP on a public ip address, you will need to make sure you add a DNS record in your internal dns for that public ip address otherwise your internal clients will not get to it because your internal DNS server thinks its responsible for the domain and will not resolve it externally.

i.e. if your ISP is hosting your www.mydomain.com domain on 2.2.2.2, make sure in your internal DNS server you add the A Record of www .mydomain.com--> 2.2.2.2

Hope it makes sense.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 1 month ago #23485 by skepticals
That seems like a great deal of work for my situation. What do you think? Live without the internal translation?
More
17 years 1 month ago #23488 by Smurf
Should really have something like this configured, otherwise get internal users to access the services using your windows 2003 domain name ?

Its not that much work, depends on how many resource records we are talking, usually its not that many. In my example, you just add a domain to your dns server (around 4 clicks), then add 4 records to it, easy :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 1 month ago #23489 by skepticals
Haha, easy when you know what you are doing. I will tackle this next week.

I would have to do this if we started to host our web site internally anyway, right? Because users inside would still want to use the outside address to access the web page.
More
17 years 1 month ago #23490 by Smurf
Yes, users would need to access the website on the internal address, hence have the DNS internally aswell as externally. Internally use internal addresses and on the external dns use public addresses.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 1 month ago #23491 by skepticals
Do you know of any documentation on the split DNS setup for Windows 2003? This way I don't have to keep bugging you :-)
Time to create page: 0.141 seconds