DNS with Sonicwall and W2K server

[bsetterb]

I am building a home network with the following configuration:

dsl --> SonicWall --> W2K server --> 6 XP machines

I have my domain (setterbo.com)registered with the NetworkSoluctions and frontdoor.setterbo.com(64.144.229.52) is the primary DNS. My ISP is DSL.NET. SonicWall tech support says that I have their box configured correctly:
WAN = 64.144.229.52 (my static ip)
LAN - 192.168.23.1
NAT on
DNS,HTTP,FTP,PING,NNTP,SMTP,POP3 all passed thru to
192.168.23.2 (frontdoor.setterbo.com)
DNS servers in order are:
frontdoor.setterbo.com, ns1.dsl.net, ns2,dsl,net

I have the W2K server on the private LAN side of the Sonicwall(192.168.23.2/frontdoor.setterbo.cm) configured for AD, DHCP, DNS, IIS(

http://WWW,SMTP,FTP,NNTP).

DHCP leases from 192.168.23.10-175 with DNS as frontdoor(64.144.229.52) and 192.168.23.1 as the gateway.

Here is the problem: DNS Forward Lookup Zone for setterbo.com insists that frontdoor is 192.168.23.2(which is true) and therefore I can not get external resolution for frontdoor.setterbo.com(which should be 64.144.229.52). I know this has to be able to be configured properly so that the external address(64.144.229.52) will resolve to frontdoor. Every time I try and add a host record for 64.144.229.52 into the zone and restart, the address record dissapears. Any help would be greatly appreciated.

Thanks in advance...

 

[brontosaurus]

this is a little confusing, so a couple of questions..

1) In your DHCP leases, why are you handing out the SonicWall as the DNS server? You should be using the W2K for DNS resolution and have it forward to the internet for external addresses. (you've deleted your root "." zone, yes?) This goes for both your clients and your 2K server.

2) Why did your ISP (or you) register setterbo.com with your internal, non-routable IP address?

3) What host(s) are you trying to access that you currently can't get to?

 

[bsetterb]

brontosaurus,
Thanks for the reply. Here are the answers to your questions. I have been trying several things to make this work as you will see in my answers. I can and will modify what ever I need to to make this work correctly. Thanks so much for your help...

1) I had the DHCP server using w2k (192.168.23.2) originally. I had changed the DNS server to the registered address(64.144.229.52) in an attempt to get external visability to frontdoor. DHCP was working fine with the private address and I will change it back. I have always had ns1 and ns2 as forwarders. Yes, the "." zone has been deleted. All clients are set to use the DHCP settings.

2) setterbo.com is registered with frontdoor.setterbo.com as the primary name server. It's address is registered as 64.144.229.52(a routable address). I set SonicWall's WAN address to 64.144.229.52 and pass through DNS(53 on UDP and TCP) and other messages to 192.168.23.2(the private address for frontdoor).

3) With my currnet configuration, I can not ping frontdoor.setterbo.com. Thus, DNS requests to frontdoor time out and NS1 or NS2 responds. NSLOOKUP says frontdoor is 192.168.23.2 instead of 64.144.229.52. Sonicwall is set to pass DNS, HTTP, FTP, SMTP, POP3, PING, and NNTP messages through to 192.168.23.2(frontdoor).


The bottom line is this:
SonicWall WAN address = 64.144.229.52
SonicWall passes DNS queries to frontdoor(192.168.23.2)
Frontdoor DNS responses sould NAT via the Sonicwall an
come back as 64.144.299.52

How do I get the DNS forward zone for setterbo.com in frontdoor to resolve frontdoor to 64.144.299.52 when it's address is set to 192.168.23.2? AD automatically puts an address record for the private address in the zone table. I have the lurking feeling that I am doing something absolutly brain dead ;-)

 

[GrnEyedLdy]

Bsetterb,

Right-click your Forward lookup zone, choose Properties and then click the Forwarders tab. The IP address of your ISP's DNS server should be added here to allow forwarding of DNS requests that cannot be resolved Internally.

That is unless I have misunderstood the post...:-D

Patty

 

[brontosaurus]

ok, here's the problem as I see it. NS1 and NS2 are both listed as authoritative nameservers for your domain, setterbo.com. HOWEVER, both NS1 and NS2 then list "frontdoor" as the Start of Authority, AND have "frontdoor" listed as 192.168.23.2. Obviously, this will not work, as that's a private address. Not to mention that they also list "setterbo.com" at 192.168.23.2...
In a nutshell, since your server, "frontdoor" is also listed as authoritative, depending on what nameserver gets hit, the average user gets a 33% chance of "getting it right". However, once it's wrong, it'll stay wrong until the TTL runs out, that's bad. So, you need to have NS1 and NS2 changed by your ISP to begin the mending process. Hope that wasn't too confusing....

 

[bsetterb]

GrnEyedLdy,
Thanks, but the forwards were already defined. The problem is that the zone file for setterbo.com on frontdoor.setterbo.com has an address record for 192.168.23.2(teh private IP address I have assigned to the machine) which seems to be always added by the Active Directory. Since frontdoor is the primary (with a registered address of 64.144.229.52) I want it to return the public address, not the private address. However it is returning the private address.

brontosaurus,
Not confusing at all. Thanks for the info. I ask these same questions to the hostmaster at DSL.NET. He stated the following:

I have just looked over our copy of your zone file and you have everything in there pointed to private IP addresses, Until you are pointing to public IP addresses you will not work.

Great, I buy all this. The problem is that AD seems to alway add the private address which is propagated when the zone is loaded. Please keep in mind that the Sonicwall has 64.144.229.52 defined for the WAN side with pass thru for DNS to 192.168.23.2(the IP address I have set in frontdoor). Sorry if I seem a bit obtuse on this. DNS has always been a curse to me. Thanks in advance for your patience ;-)

 

[bsetterb]

Ok,
I have been away for most of the day and can finally get back to this problem. Lets say I get DS1 and DS2 to change their records for frontdoor.setterbo.com to 64.144.229.52(as I would think they should be). I still have the problem of the zone file for setterbo.com on frontdoor having an address record for frontdoor as 192.168.23.2. Am I missing some fundamental issue here? Because frontdoor is on the LAN side of the SonicWall I have set its' IP address to 192.168.23.2(is this the problem?). Even if I delete the 'A' record for 192.168.23.2 from the zone file for setterbo.com, it gets added back into the file after I restart DNS(I am assuming this is done by MS Active Directory). So as long as frontdoor reports its' address as 192.168.23.2 things are messed up, correct? There must be a solution that others have used in this situation. TIA...

 

[bsetterb]

More info...
In "DNS->forward zones->setterbo.com->props->types" I changed the type from AD integrated to standard primary. I deleted the private address(192.168.23.2) and added a host record for frontdoor.setterbo.com(64.144.299.52). I left a PTR record of 2 for frontdoor.setterbo.com in 23.168.19.IN-ADDR.ARPA . The IP for frontdoor.setterbo.com now resolved to 64.144.229.52(hurray!). I can get ot

http://www.setterbo.com

from my internal machines(hurray!). I can NOT get to

http://www.setterbo.com

from external machines(boo!). One step forward, one step backward ;-)

 

[brontosaurus]

strange, I can get to it....you sure it's not the machine you're on?