DNS-Resolve www address or our website internally? 2

[pjewett]

.

The issue apparently is that in his demonstrations he needs or wants to be able to use "www" in front of our domain name when he browses to the site.

It was explained to me that because we host our own site and that because it is located inside of our network that users internal to our network are prevented from using "www" when visiting our site because "www" forwards the request to port 80, where a DNS server would then direct the user back to the external IP of our webserver, which is not allowed to prevent one from "spoofing" into our network.

Is this information accurate and is there a way to allow users internal to our network to browse to our internally hosted webserver using the same address they would use externally? exp.

http://www.apple.com

instead of apple.com without compromising security?


Thanks very much in advance.

 

[pjewett]

Sorry, this is the whole post. Can't figure out how to edit the other.

One of our guys in Marketing is working on a few projects related to our Company's website which we host ourselves. He often needs to demonstrate some of the changes he's making to our Executives while here on the premises and inside of our network.

The issue apparently is that in his demonstrations he needs or wants to be able to use "www" in front of our domain name when he browses to the site.

It was explained to me that because we host our own site and that because it is located inside of our network that users internal to our network are prevented from using "www" when visiting our site because "www" forwards the request to port 80, where a DNS server would then direct the user back to the external IP of our webserver, which is not allowed to prevent one from "spoofing" into our network.

Is this information accurate and is there a way to allow users internal to our network to browse to our internally hosted webserver using the same address they would use externally? exp.

http://www.apple.com

instead of apple.com without compromising security?


Thanks very much in advance.

 

[elgrandeperro]

The issue is that your internal web server is running on a private IP, and you don't have "split" DNS. If you can map that name "www" to an internal IP, it usually works in the case where the external side is simply address mapping to an internal server.

One way is to split the DNS so you have internal and external views. That would require a little work from your IT crew.

What I would try first is to add your internal host/ip ( I will assume you use a PC) to the hosts file. That way, just that PC will think

http://www.yourdomain.com

is internal, and see if you can bring up the webserver on a browser. Of course one must be aware to undue this setting when you are not on the internal network.

The location of the file is OS dependent, and you simply put:

a.b.c.d

http://www.yourdomain.com

(where a.b.c.d is the internal ip)

into the file. This will mask out only www, all other queries will continue to use DNS.

gene

 

[pjewett]

Thank you, the Host file idea worked.

We use Active Directory. Is there any reason I can't apply that entry (10.0.0.X

http://www.yourdomain.com)

to our Domain Controllers DNS so that everyone is able to use "www" when visiting our site?

 

[ShackDaddy]

If your internal domain name is different than your external domain name (maybe its "domain.com" on the outside and "domain" or "domain.local" on the inside), then you can create a new "forward lookup zone" on your internal DNS/domain controller and add the external domain to your internal servers. Then create all the records you need. Any services that are hosted outside of your LAN, like mail or ftp perhaps, you'd want to create A-records for those things pointed to the outside hosts. For your

http://www record,

you'd create an A-record pointing to the internal IP of the web server.

If your domain name is the same inside and outside, and the outside world uses the same DNS server as your inside hosts, then you will have more trouble, since the

http://WWW record

will need to map to the external IP. But this is probably not your setup, since you run AD and would need a private internal server.

If your domain name is the same inside and outside and you have an internal DNS server and are using a separate server for the World to find your site, then you can change the

http://WWW A-record

on your internal server to the inside IP of the web server. This assumes that all the clients point to the internal DNS server for their name resolution.

ShackDaddy

 

[pjewett]

I got ya. The problem we're still running into however is that this guy's demo's often involves links to our website from our parent company's site.

When anyone internally surfs to

http://www.parentcompany.com

and clicks a link to

http://www.ourdomain.com

it once again will be pointed to the external IP of our website and they won't be able to hit it.

hmmmm

 

[elgrandeperro]

The other way to fix it is to talk to who setup your network, and have them think about subnetting or splitting out the publically accessible into a separate DMZ. That way you can avoid the problem and subvert the need to play too many DNS games.

gene

 

[ShackDaddy]

I don't know why clicking a link to '

http://www.ourcompany.com'

would send you to the external IP. The referral should be a fully qualified domain name, and your clients internally should use your internal version of the DNS namespace to resolve it.

Whether you've used the host-file option of the internal forward-lookup-zone for that namespace, I wouldn't expect the behaviour that you're getting.

ShackDaddy