dns + firewall?

[Eric]

Archived from groups: microsoft.public.win2000.dns (More info?)

This is probably stupid, but we have a network with a firewall where the
webbserver is an IIS/Win 2k which is on the dmz. Everything works fine
*except* for the internal computers where we have a problem with the domain.
Normaly it's www.company.com, we have an alias that's lan.company.com
created with an alias that works but we would like to use the regular
www.spider.se. The reason is that every webpage we create from the "inside"
can't use the same absolut links as from the "outside" which is disturbing.

I *think* you can do som sort of forwarding thing in the Win 2k dns to fix
this but I don't know how.

Any ideas?

/e

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Eric" <eric@hotmail.com> wrote in message
news:ur8C#affEHA.4092@TK2MSFTNGP10.phx.gbl...
> This is probably stupid, but we have a network with a firewall where the
> webbserver is an IIS/Win 2k which is on the dmz. Everything works fine
> *except* for the internal computers where we have a problem with the
domain.
> Normaly it's www.company.com, we have an alias that's lan.company.com
> created with an alias that works but we would like to use the regular
> www.spider.se. The reason is that every webpage we create from the
"inside"
> can't use the same absolut links as from the "outside" which is
disturbing.

It's not a stupid question, but it isn't exactly clear where the
problem is, or what you wish to accomplish that you cannot.

What is your internal domain name?

Do you have separate internal and external DNS servers?

> I *think* you can do som sort of forwarding thing in the Win 2k dns to fix
> this but I don't know how.

The standard method is for all of the INTERNAL machines
to be DNS clients of the internal DNS.

The internal DNS then forwards to the ISP or the DMS/firewall
DNS server which handles all public zone resolution.


Internal DNS:
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

--
Herb Martin


>
> Any ideas?
>
> /e
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23WzN%23BifEHA.3556@TK2MSFTNGP12.phx.gbl,
Eric <eric@hotmail.com> wrote their comments
Then Kevin replied below:
> ha!! U r the king! Now it worked! Thank you, this has
> been a pain in the butt for some time now!!

You probably had to wait for the negative answer TTL to expire in the Client
DNS cache, ipconfig /flushdns would have made it work immediately.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================

 

[Eric]

Archived from groups: microsoft.public.win2000.dns (More info?)

> Can I assume that all users are using only the Win2k that is _NOT_ in the
> DMZ for DNS?

eh? they are using computers/workstations that's not in the dmz. and they
logon to the computer that's not in the dmz.

> Local computers will not be able to use the DNS in the DMZ for DNS because
> if I getting the picture right, it has public DNS zones.
> That being said, in the DNS server for the internal LAN, create a zone
named
> company.com, with records for www and or whatever with the private IP of
the
> webserver in the DMZ.
> If www.company.com is the only name you need to access on the DMZ server,
I
> would create a zone for that name (www.company.com), then create a blank
> host with the IP of the web server in the DMZ, this will prevent the local
> DNS from intercepting names that can be accessed from inside the LAN by
the
> public addresses.

let's see know. I created a new zone called www.company.com. there I created
a blank host with the same IP as the dns/webb. but njet... :/

/e

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

E> *except* for the internal computers where we have a problem with the
domain.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html>

E> every webpage we create from the "inside" can't use the same absolut
E> links as from the "outside" which is disturbing.

Use relative URLs on your web pages, as well. Don't use absolute URLs
unless you *cannot* use relative ones.

 

[Eric]

Archived from groups: microsoft.public.win2000.dns (More info?)

Sigh...It seems that that dns also is the primary dns and if you add the
www.company.com zone it sends out a change to the internet dns-servers and
then you cant't reach the site from the outside...:/

Any thoughts?

/e

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:eFXeVJrfEHA.3148@TK2MSFTNGP10.phx.gbl,
Eric <Eric@hotmail.com> made a post then I commented below
> Sigh...It seems that that dns also is the primary dns and if you add
> the www.company.com zone it sends out a change to the internet
> dns-servers and then you cant't reach the site from the outside...:/
>
> Any thoughts?
>
> /e

Apparently you are hosting external data on an internal machine. This is not
wise and suggested to use separate physical DNS servers, one for the
internal namespace, one for the external namespace. Do not mix private and
public data. Lanwench gave you a great response based on this in that other
new thread you started.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:eFXeVJrfEHA.3148@TK2MSFTNGP10.phx.gbl,
Eric <Eric@hotmail.com> wrote their comments
Then Kevin replied below:
> Sigh...It seems that that dns also is the primary dns and
> if you add the www.company.com zone it sends out a change
> to the internet dns-servers and then you cant't reach the
> site from the outside...:/
>
> Any thoughts?

What in the world are you trying to run the same DNS data for both internal
and external resolution?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================

 

[Eric]

Archived from groups: microsoft.public.win2000.dns (More info?)

ok, we changed some pointers in the firewall and now it seems to be working.
thanks for everyone's help, really appreciating it!

/e

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uh6pnxEgEHA.3932@TK2MSFTNGP09.phx.gbl,
Eric <eric@hotmail.com> made a post then I commented below
> ok, we changed some pointers in the firewall and now it seems to be
> working. thanks for everyone's help, really appreciating it!
>
> /e

Glad you got it fixed.

--
Ace