Passing DNS Through DMZ

Archived from groups: microsoft.public.win2000.dns (More info?)

I am bringing my website hosting inhouse. I am setting the server in my DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has no affiliation with my domain. I will SNAT port 80 to one of my public IP address. I will use my registrar to point the www and @ records to my external IP. The problem that I will have is that my internal users will not be able to access these 4 websites when they make a request to go to them because my firewall will not allow the traffic to leave throught the private and then the public and come back in on the DMZ. It has to pass the traffic from the private to the DMZ. I know I could modify the host file on each machine with the static mapppings ( I don't want to have do this on all of the machines and I am not sure how I could easily distribute it etc). I am pretty sure that this can be done through my local DNS. Just not sure what the best way of doing it would be. (New Zones? New Domains? Active Directory Integrated? etc.) My private network is a 192.168.x.x network. I have two W2k DC's both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any thoughts, help or input is greatly appreciated. Thanks in advance.
9 answers Last reply
More about passing
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    On Tue, 20 Jul 2004 14:18:01 -0700, "Jason"
    <Jason@discussions.microsoft.com> wrote:

    >I am bringing my website hosting inhouse. I am setting the server in my DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has no affiliation with my domain. I will SNAT port 80 to one of my public IP address. I will use my registrar to point the www and @ records to my external IP. The problem that I will have is that my internal users will not be able to access these 4 websites when they make a request to go to them because my firewall will not allow the traffic to leave throught the private and then the public and come back in on the DMZ. It has to pass the traffic from the private to the DMZ. I know I could modify the host file on each machine with the static mapppings ( I don't want to have do this on all of the machines and I am not sure how I could easily distribute it etc). I am pretty sure that this can be done through my local DNS. Just not sure what the best way of doing it would be. (New Zones? New Domains? Active Directory Integrated?
    >etc.) My private network is a 192.168.x.x network. I have two W2k DC's both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any thoughts, help or input is greatly appreciated. Thanks in advance.

    Add the web server's IP address in the DNS for that zone on your
    internal DNS server. If you don't have that zone defined, create it.
    Make sure your firewall rules allow LAN to DMZ access as needed.

    Jeff
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    I'm using alias command in the firewall to let people access the web sites
    instead of cteating a new zone in DC.

    Roger


    "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
    news:4103c8ff.215714601@msnews.microsoft.com...
    > On Tue, 20 Jul 2004 14:18:01 -0700, "Jason"
    > <Jason@discussions.microsoft.com> wrote:
    >
    > >I am bringing my website hosting inhouse. I am setting the server in my
    DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has
    no affiliation with my domain. I will SNAT port 80 to one of my public IP
    address. I will use my registrar to point the www and @ records to my
    external IP. The problem that I will have is that my internal users will
    not be able to access these 4 websites when they make a request to go to
    them because my firewall will not allow the traffic to leave throught the
    private and then the public and come back in on the DMZ. It has to pass the
    traffic from the private to the DMZ. I know I could modify the host file on
    each machine with the static mapppings ( I don't want to have do this on all
    of the machines and I am not sure how I could easily distribute it etc). I
    am pretty sure that this can be done through my local DNS. Just not sure
    what the best way of doing it would be. (New Zones? New Domains? Active
    Directory Integrated?
    > >etc.) My private network is a 192.168.x.x network. I have two W2k DC's
    both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain
    is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any
    thoughts, help or input is greatly appreciated. Thanks in advance.
    >
    > Add the web server's IP address in the DNS for that zone on your
    > internal DNS server. If you don't have that zone defined, create it.
    > Make sure your firewall rules allow LAN to DMZ access as needed.
    >
    > Jeff
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:uWggYS2bEHA.3144@TK2MSFTNGP09.phx.gbl,
    RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    below:
    > I'm using alias command in the firewall to let people access the web
    > sites instead of cteating a new zone in DC.
    >
    > Roger

    Sorry, I'm not following what you're implying. Do you mean to say that your
    internal users are using your firewall as a DNS server?

    If that's the case, this is not the method to configure AD and AD clients,
    which of course we know that they must only use the internal DNS. As Jeff
    said, create the zones if not already created, and create a www record and
    give it the internal private IP address. This is of course based on the fact
    that you are not hosting the zone and their public records and they are
    hosted elsewhere outside.


    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    No, we're using AD DNS. Because the firewall is using NAT, so that users
    inside cannot access web site www.company.com . I didn't create a www record
    in DNS and use an alias command in firewall.

    Roger
    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:eDlvjRFcEHA.1248@TK2MSFTNGP11.phx.gbl...
    > In news:uWggYS2bEHA.3144@TK2MSFTNGP09.phx.gbl,
    > RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    > below:
    > > I'm using alias command in the firewall to let people access the web
    > > sites instead of cteating a new zone in DC.
    > >
    > > Roger
    >
    > Sorry, I'm not following what you're implying. Do you mean to say that
    your
    > internal users are using your firewall as a DNS server?
    >
    > If that's the case, this is not the method to configure AD and AD clients,
    > which of course we know that they must only use the internal DNS. As Jeff
    > said, create the zones if not already created, and create a www record and
    > give it the internal private IP address. This is of course based on the
    fact
    > that you are not hosting the zone and their public records and they are
    > hosted elsewhere outside.
    >
    >
    > --
    > Regards,
    > Ace
    >
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    >
    > Security Is Like An Onion, It Has Layers
    > HAM AND EGGS: A day's work for a chicken;
    > A lifetime commitment for a pig.
    > --
    > =================================
    >
    >
  5. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:edzBEuLcEHA.2660@TK2MSFTNGP12.phx.gbl,
    RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    below:
    > No, we're using AD DNS. Because the firewall is using NAT, so that
    > users inside cannot access web site www.company.com . I didn't create
    > a www record in DNS and use an alias command in firewall.
    >
    > Roger

    Ok, I understand the www part.

    What is the alias command do in the firewall? What firewall/NAT (or are they
    separate devices) do you use? As far as I see, that's not necessary, unless
    I'm not understanding what's being accomplished? Possibly mean a port remap?

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  6. Archived from groups: microsoft.public.win2000.dns (More info?)

    We're using Cisco PIX firewall with three interfaces.
    Thanks,
    Roger
    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:uZr%235xZcEHA.1656@TK2MSFTNGP09.phx.gbl...
    > In news:edzBEuLcEHA.2660@TK2MSFTNGP12.phx.gbl,
    > RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    > below:
    > > No, we're using AD DNS. Because the firewall is using NAT, so that
    > > users inside cannot access web site www.company.com . I didn't create
    > > a www record in DNS and use an alias command in firewall.
    > >
    > > Roger
    >
    > Ok, I understand the www part.
    >
    > What is the alias command do in the firewall? What firewall/NAT (or are
    they
    > separate devices) do you use? As far as I see, that's not necessary,
    unless
    > I'm not understanding what's being accomplished? Possibly mean a port
    remap?
    >
    > --
    > Regards,
    > Ace
    >
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    >
    > Security Is Like An Onion, It Has Layers
    > HAM AND EGGS: A day's work for a chicken;
    > A lifetime commitment for a pig.
    > --
    > =================================
    >
    >
  7. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:%23FN7VIzcEHA.2816@TK2MSFTNGP11.phx.gbl,
    RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    below:
    > We're using Cisco PIX firewall with three interfaces.
    > Thanks,
    > Roger

    Ok, I see. I haven't ever used this function. From what you're saying, then
    my take on it is that somehow the PIX box is receiving the DNS query and is
    forwarding it to the server? That probably wouldn't make sense if your AD
    members are only using the internal DNS, or other things can happen.

    Or is it acting as a proxy for your clients?

    I would probably suggest to create the zone with the www record since your
    users are only using the internal DNS. In your original post you mentioned
    creating a zone, or using hosts files, but were not sure what type of zone.
    I would not suggest to use hosts file, and I would suggest to just create a
    Primary zone, and create the necessary resoures. If you want it available on
    all your DNS servers and they happen to be domain controllers, then I would
    suggest to make it an AD Integrated zone.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  8. Archived from groups: microsoft.public.win2000.dns (More info?)

    No, I don't think PIX receives DNS query. Our PIX is a gateway to Internet.
    Do you mean to create another zone with www record?
    Thanks,
    Roger
    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:%23dNvNS4cEHA.2384@TK2MSFTNGP09.phx.gbl...
    > In news:%23FN7VIzcEHA.2816@TK2MSFTNGP11.phx.gbl,
    > RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    > below:
    > > We're using Cisco PIX firewall with three interfaces.
    > > Thanks,
    > > Roger
    >
    > Ok, I see. I haven't ever used this function. From what you're saying,
    then
    > my take on it is that somehow the PIX box is receiving the DNS query and
    is
    > forwarding it to the server? That probably wouldn't make sense if your AD
    > members are only using the internal DNS, or other things can happen.
    >
    > Or is it acting as a proxy for your clients?
    >
    > I would probably suggest to create the zone with the www record since your
    > users are only using the internal DNS. In your original post you mentioned
    > creating a zone, or using hosts files, but were not sure what type of
    zone.
    > I would not suggest to use hosts file, and I would suggest to just create
    a
    > Primary zone, and create the necessary resoures. If you want it available
    on
    > all your DNS servers and they happen to be domain controllers, then I
    would
    > suggest to make it an AD Integrated zone.
    >
    > --
    > Regards,
    > Ace
    >
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    >
    > Security Is Like An Onion, It Has Layers
    > HAM AND EGGS: A day's work for a chicken;
    > A lifetime commitment for a pig.
    > --
    > =================================
    >
    >
  9. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:ezb%23NICdEHA.3096@tk2msftngp13.phx.gbl,
    RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
    below:
    > No, I don't think PIX receives DNS query. Our PIX is a gateway to
    > Internet. Do you mean to create another zone with www record?
    > Thanks,
    > Roger

    In this case, then I would create the zone and the www record. This is
    normal when it comes to hosting a webserver on a private side to the
    Internet, but your internal users cannot get to it. The same goes if you
    have a split horizon zone.

    Cheers!


    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
Ask a new question

Read More

DMZ DNS Windows