Internal to external DNS issues

[ChurchillBlair]

Hi everyone, I’m trying to get my head around this issue – I would like to be able to put “http://domain.com” into a web browser and have it resolve to “http://www.domain.com” but currently it does not INSIDE my network… outside my network it does.

Internally my servers host mail.domain.com and helpdesk.domain.com, but we use an external web host for http://www.domain.com

Here’s my domain.com.zone file:

$TTL 14400
domain.com. IN SOA password.domain.com. postmaster.domain.com. (
2007112027 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
domain.com. IN NS password.domain.com.
domain.com. IN NS password2.domain.com.
domain.com. IN NS ca1.ny.towerstream.com.
domain.com. IN NS ca2.ny.towerstream.com.
domain.com. IN A 10.0.1.11
password IN A 10.0.1.11
ldap IN CNAME password
powerschool IN A 10.0.1.6
password2 IN A 10.0.1.12
ms IN A 10.0.1.14
hs IN A 10.0.1.15
library IN A 10.0.1.2
helpdesk IN A 10.0.1.101
es IN A 10.0.1.13
www IN A xxx.xxx.xxx.xxx
mail IN A 10.0.1.111
domain.com. IN MX 0 mail
retrospect IN A 10.0.1.200

On suggestions from users at the Apple discussion forums, I tried modifying line 11 (domain.com IN A 10.0.1.11) to say

domain.com. IN CNAME http://www.domain.com.

but when I made that change, I could no longer reach my INTERNALLY hosted “mail.domain.com” and “helpdesk.domain.com” sites.

Does anyone have any suggestions for things I might try here? I would really appreciate the help

Running 10.4.10 on this server (though I don’t know if that matters much for DNS), the box is also running DHCP and is OD Master for my network (using network home directories, homes on three separate servers).

thx

Blair

[ChurchillBlair]

This is what I see when I dig from my machine:

[Blairs-Intel-iMac:~] blair% dig domain.com

; <<>> DiG 9.3.4-P1 <<>> domain.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62462 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3 ;; QUESTION SECTION: ;domain.com. IN A ;; ANSWER SECTION: domain.com. 14400 IN A 10.0.1.11 ;; AUTHORITY SECTION: domain.com. 14400 IN NS password.domain.com. domain.com. 14400 IN NS password2.domain.com. domain.com. 14400 IN NS ca1.ny.towerstream.com. domain.com. 14400 IN NS ca2.ny.towerstream.com. ;; ADDITIONAL SECTION: ca1.ny.towerstream.com. 3446 IN A 69.38.143.2 ca2.ny.towerstream.com. 3446 IN A 69.38.143.20 password.domain.com. 14400 IN A 10.0.1.11 ;; Query time: 0 msec ;; SERVER: 10.0.1.11#53(10.0.1.11) ;; WHEN: Mon Nov 26 12:01:14 2007 ;; MSG SIZE rcvd: 199 Towerstream is our ISP, so I have them in as name servers for our domain to provide external addresses. 'password2' is my secondary zone (and all of our client machines look first to password, then to password2, then to the ISP name servers)

[luke]

You might try using a split-horizon DNS approach.

Your internal DNS server is queried by internal machines only. It does DNS caching and forwarding for when your internal machines are surfing the Internet, and presents itself as the authority for your domain, where you hard-code all of the IPs for the various hosts (mail, helpdesk, www, etc.), and make no mention of any other external DNS servers (from towerstream.com). Don’t even let this internal server be queried from external computers. Block it at the firewall.

Then, create a completely separate DNS server that is available from the outside, and hard code all of the same hosts but with whatever subtle differences you need. This is especially handy if that mail server has an internal IP and an external IP due to NAT forwarding.

Since my internal DNS servers have hundreds of entries (for each internal machine on the network) but my external DNS servers only have a couple, I just use the DNS service provided by Network Solutions that comes with our domain name.

See

YMMV[url]http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html[/url]

[Author]

Posts