Sign in with
Sign up | Sign in
Your question

Passing DNS Through DMZ

Last response: in Windows 2000/NT
Share
July 20, 2004 6:18:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I am bringing my website hosting inhouse. I am setting the server in my DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has no affiliation with my domain. I will SNAT port 80 to one of my public IP address. I will use my registrar to point the www and @ records to my external IP. The problem that I will have is that my internal users will not be able to access these 4 websites when they make a request to go to them because my firewall will not allow the traffic to leave throught the private and then the public and come back in on the DMZ. It has to pass the traffic from the private to the DMZ. I know I could modify the host file on each machine with the static mapppings ( I don't want to have do this on all of the machines and I am not sure how I could easily distribute it etc). I am pretty sure that this can be done through my local DNS. Just not sure what the best way of doing it would be. (New Zones? New Domains? Active Directory Integrated? etc.) My private network is a 192.168.x.x network. I have two W2k DC's both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any thoughts, help or input is greatly appreciated. Thanks in advance.

More about : passing dns dmz

Anonymous
July 21, 2004 5:39:25 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

On Tue, 20 Jul 2004 14:18:01 -0700, "Jason"
<Jason@discussions.microsoft.com> wrote:

>I am bringing my website hosting inhouse. I am setting the server in my DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has no affiliation with my domain. I will SNAT port 80 to one of my public IP address. I will use my registrar to point the www and @ records to my external IP. The problem that I will have is that my internal users will not be able to access these 4 websites when they make a request to go to them because my firewall will not allow the traffic to leave throught the private and then the public and come back in on the DMZ. It has to pass the traffic from the private to the DMZ. I know I could modify the host file on each machine with the static mapppings ( I don't want to have do this on all of the machines and I am not sure how I could easily distribute it etc). I am pretty sure that this can be done through my local DNS. Just not sure what the best way of doing it would be. (New Zones? New Domains? Active Directory Integrated?
>etc.) My private network is a 192.168.x.x network. I have two W2k DC's both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any thoughts, help or input is greatly appreciated. Thanks in advance.

Add the web server's IP address in the DNS for that zone on your
internal DNS server. If you don't have that zone defined, create it.
Make sure your firewall rules allow LAN to DMZ access as needed.

Jeff
Anonymous
July 21, 2004 7:55:07 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I'm using alias command in the firewall to let people access the web sites
instead of cteating a new zone in DC.

Roger


"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:4103c8ff.215714601@msnews.microsoft.com...
> On Tue, 20 Jul 2004 14:18:01 -0700, "Jason"
> <Jason@discussions.microsoft.com> wrote:
>
> >I am bringing my website hosting inhouse. I am setting the server in my
DMZ on a 10.x.x.x scheme. It is a single stand alone W2k3 server. It has
no affiliation with my domain. I will SNAT port 80 to one of my public IP
address. I will use my registrar to point the www and @ records to my
external IP. The problem that I will have is that my internal users will
not be able to access these 4 websites when they make a request to go to
them because my firewall will not allow the traffic to leave throught the
private and then the public and come back in on the DMZ. It has to pass the
traffic from the private to the DMZ. I know I could modify the host file on
each machine with the static mapppings ( I don't want to have do this on all
of the machines and I am not sure how I could easily distribute it etc). I
am pretty sure that this can be done through my local DNS. Just not sure
what the best way of doing it would be. (New Zones? New Domains? Active
Directory Integrated?
> >etc.) My private network is a 192.168.x.x network. I have two W2k DC's
both running DNS. DC1 is 192.168.x.10. DC2 is 192.168.x.11. Local domain
is company.local. Webserver is 10.x.x.2. mydomain1,2,3,4.com. Any
thoughts, help or input is greatly appreciated. Thanks in advance.
>
> Add the web server's IP address in the DNS for that zone on your
> internal DNS server. If you don't have that zone defined, create it.
> Make sure your firewall rules allow LAN to DMZ access as needed.
>
> Jeff
Related resources
Anonymous
July 23, 2004 1:28:38 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uWggYS2bEHA.3144@TK2MSFTNGP09.phx.gbl,
RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
below:
> I'm using alias command in the firewall to let people access the web
> sites instead of cteating a new zone in DC.
>
> Roger

Sorry, I'm not following what you're implying. Do you mean to say that your
internal users are using your firewall as a DNS server?

If that's the case, this is not the method to configure AD and AD clients,
which of course we know that they must only use the internal DNS. As Jeff
said, create the zones if not already created, and create a www record and
give it the internal private IP address. This is of course based on the fact
that you are not hosting the zone and their public records and they are
hosted elsewhere outside.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 23, 2004 12:49:43 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

No, we're using AD DNS. Because the firewall is using NAT, so that users
inside cannot access web site www.company.com . I didn't create a www record
in DNS and use an alias command in firewall.

Roger
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:eDlvjRFcEHA.1248@TK2MSFTNGP11.phx.gbl...
> In news:uWggYS2bEHA.3144@TK2MSFTNGP09.phx.gbl,
> RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
> below:
> > I'm using alias command in the firewall to let people access the web
> > sites instead of cteating a new zone in DC.
> >
> > Roger
>
> Sorry, I'm not following what you're implying. Do you mean to say that
your
> internal users are using your firewall as a DNS server?
>
> If that's the case, this is not the method to configure AD and AD clients,
> which of course we know that they must only use the internal DNS. As Jeff
> said, create the zones if not already created, and create a www record and
> give it the internal private IP address. This is of course based on the
fact
> that you are not hosting the zone and their public records and they are
> hosted elsewhere outside.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
Anonymous
July 24, 2004 4:37:08 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:edzBEuLcEHA.2660@TK2MSFTNGP12.phx.gbl,
RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
below:
> No, we're using AD DNS. Because the firewall is using NAT, so that
> users inside cannot access web site www.company.com . I didn't create
> a www record in DNS and use an alias command in firewall.
>
> Roger

Ok, I understand the www part.

What is the alias command do in the firewall? What firewall/NAT (or are they
separate devices) do you use? As far as I see, that's not necessary, unless
I'm not understanding what's being accomplished? Possibly mean a port remap?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 26, 2004 4:03:24 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

We're using Cisco PIX firewall with three interfaces.
Thanks,
Roger
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:uZr%235xZcEHA.1656@TK2MSFTNGP09.phx.gbl...
> In news:edzBEuLcEHA.2660@TK2MSFTNGP12.phx.gbl,
> RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
> below:
> > No, we're using AD DNS. Because the firewall is using NAT, so that
> > users inside cannot access web site www.company.com . I didn't create
> > a www record in DNS and use an alias command in firewall.
> >
> > Roger
>
> Ok, I understand the www part.
>
> What is the alias command do in the firewall? What firewall/NAT (or are
they
> separate devices) do you use? As far as I see, that's not necessary,
unless
> I'm not understanding what's being accomplished? Possibly mean a port
remap?
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
Anonymous
July 27, 2004 2:50:52 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23FN7VIzcEHA.2816@TK2MSFTNGP11.phx.gbl,
RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
below:
> We're using Cisco PIX firewall with three interfaces.
> Thanks,
> Roger

Ok, I see. I haven't ever used this function. From what you're saying, then
my take on it is that somehow the PIX box is receiving the DNS query and is
forwarding it to the server? That probably wouldn't make sense if your AD
members are only using the internal DNS, or other things can happen.

Or is it acting as a proxy for your clients?

I would probably suggest to create the zone with the www record since your
users are only using the internal DNS. In your original post you mentioned
creating a zone, or using hosts files, but were not sure what type of zone.
I would not suggest to use hosts file, and I would suggest to just create a
Primary zone, and create the necessary resoures. If you want it available on
all your DNS servers and they happen to be domain controllers, then I would
suggest to make it an AD Integrated zone.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 27, 2004 8:41:05 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

No, I don't think PIX receives DNS query. Our PIX is a gateway to Internet.
Do you mean to create another zone with www record?
Thanks,
Roger
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23dNvNS4cEHA.2384@TK2MSFTNGP09.phx.gbl...
> In news:%23FN7VIzcEHA.2816@TK2MSFTNGP11.phx.gbl,
> RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
> below:
> > We're using Cisco PIX firewall with three interfaces.
> > Thanks,
> > Roger
>
> Ok, I see. I haven't ever used this function. From what you're saying,
then
> my take on it is that somehow the PIX box is receiving the DNS query and
is
> forwarding it to the server? That probably wouldn't make sense if your AD
> members are only using the internal DNS, or other things can happen.
>
> Or is it acting as a proxy for your clients?
>
> I would probably suggest to create the zone with the www record since your
> users are only using the internal DNS. In your original post you mentioned
> creating a zone, or using hosts files, but were not sure what type of
zone.
> I would not suggest to use hosts file, and I would suggest to just create
a
> Primary zone, and create the necessary resoures. If you want it available
on
> all your DNS servers and they happen to be domain controllers, then I
would
> suggest to make it an AD Integrated zone.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
Anonymous
July 28, 2004 3:10:12 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:ezb%23NICdEHA.3096@tk2msftngp13.phx.gbl,
RQ <r.qian@inetmail.att.net> asked for help and I offered my suggestions
below:
> No, I don't think PIX receives DNS query. Our PIX is a gateway to
> Internet. Do you mean to create another zone with www record?
> Thanks,
> Roger

In this case, then I would create the zone and the www record. This is
normal when it comes to hosting a webserver on a private side to the
Internet, but your internal users cannot get to it. The same goes if you
have a split horizon zone.

Cheers!


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
!