Internal External Domain Name

Archived from groups: microsoft.public.win2000.dns (More info?)

I am currently running SBS2003 behind a Pix firewall and a VPN Concentrator
with NAT. I have an external registered domain name for our E-mail that
points to the external address of our SBS server.

I created a separate internal domain name for our network. Lets call it
abc.com.
Now (3 years later) I realize that I should have named it abc.local or
something else.

I want to register abc.com to prevent somone else from registering the name.

If I register abc.com, will it cause DNS problems for my internal network
users? Will it automaticall know to check the local internal DNS server to
resolve to the local address, or will it potentially attempt to resolve to
the external web address?

All users have direct access to the internet through th PIX firewall.

DHCP is configured to put our internal SBS server as the primary DNS server
and an internet server as the secondary server.

I don't plan to use abc.com for any web access, or mail. I just want to
park it so it is reserved.

Our users do use the VPN client to access our network remotely, but our VPN
client is configured to connect directly to the VPN concentrator via IP
address so I am assuming that VPN should not have a problem resolving to the
internal server.

I hope my question is clear. If not please let me know if you need
additional information.

Thanks for your help.
3 answers Last reply
More about internal external domain name
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:973B4925-899B-4A6B-B491-52DDD36637CD@microsoft.com,
    AFS <AFS@discussions.microsoft.com> commented
    Then Kevin replied below:
    > I am currently running SBS2003 behind a Pix firewall and
    > a VPN Concentrator with NAT. I have an external
    > registered domain name for our E-mail that points to the
    > external address of our SBS server.
    >
    > I created a separate internal domain name for our
    > network. Lets call it abc.com.
    > Now (3 years later) I realize that I should have named it
    > abc.local or something else.
    >
    > I want to register abc.com to prevent somone else from
    > registering the name.
    >
    > If I register abc.com, will it cause DNS problems for my
    > internal network users? Will it automaticall know to
    > check the local internal DNS server to resolve to the
    > local address, or will it potentially attempt to resolve
    > to the external web address?
    >
    > All users have direct access to the internet through th
    > PIX firewall.
    >
    > DHCP is configured to put our internal SBS server as the
    > primary DNS server and an internet server as the
    > secondary server.
    >
    > I don't plan to use abc.com for any web access, or mail.
    > I just want to park it so it is reserved.
    >
    > Our users do use the VPN client to access our network
    > remotely, but our VPN client is configured to connect
    > directly to the VPN concentrator via IP address so I am
    > assuming that VPN should not have a problem resolving to
    > the internal server.
    >
    > I hope my question is clear. If not please let me know
    > if you need additional information.
    >

    It won't cause a problem for the internal users. Internal users should never
    get a direct look at the public name space. It may cause a problem for the
    VPN users, since they must go through the public namespace to get to the
    internal namespace. But putting the proper delegations in the public zone
    will make it seamless.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks for the information. I'm not sure I understand "proper delegations
    in the public zone" but I am assuming that since the IP address of our VPN
    concentrator is hardcoded into our VPN clients, our VPN connection will not
    use the public namespace to find our network. Is this a valid assumption?

    Thanks again for taking the time to help.
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:CA5EFDD3-C9C3-412D-889E-66C782F960CA@microsoft.com,
    AFS <AFS@discussions.microsoft.com> commented
    Then Kevin replied below:
    > Thanks for the information. I'm not sure I understand
    > "proper delegations in the public zone" but I am assuming
    > that since the IP address of our VPN concentrator is
    > hardcoded into our VPN clients, our VPN connection will
    > not use the public namespace to find our network. Is
    > this a valid assumption?
    >
    > Thanks again for taking the time to help.

    This is a bad assumption, while you have the internal DNS hardcoded in the
    VPN client, you must first connect to the internet before the VPN client can
    connect. It is when you have made this connection that you can possibly
    cache conflicting NS records for the domain name. This is what causes
    connection failures to internal resources.
    You can use hosts files to make sure the correct internal hosts addresses
    are loaded in the cache. You can also make delegations in the public zone
    for names in the internal DNS using the private IP of the internal DNS in
    the delgation.
    This delegation is useless until the the VPN is connected because the
    delegation is to an internal address that should not be routable over the
    internet.
    Of course this delegation is only secure as your firewall is at keeping
    un-authorised, not-authenticed users out.

    Since you don't have a public site on this address, the only time the public
    zone should be queried is for your VPN clients. I would delegate these name
    in the public zone. Make these delegations to the private address.
    _msdcs
    _sites
    _tcp
    _udp

    There is an article that tells you how to set this up.
    Integrating Your Active Directory Namespace Into an Existing DNS
    Infrastructure With Name Overlap:
    http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns04_integ_adnspace_with_nameoverlap.asp

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
Ask a new question

Read More

Domain Name Servers Windows