.local tyring to get to .com site hosted internally

[dougmbti]

We have our ISP holding the mycompany.com domain - we handle email and web on our servers.

I have a Win 2k3 server with mycompany.local DNS and AD running on a 192... internal network. I have a Win 2k3 stand-alone server running IIS hosting mycompany.com web site on a 10... optional network.

Problem: Internal user computer tries to goto

http://www.mycompany.com

website and it errors out. However, the external world can reach the site just fine. I perform nslookup on

http://www.mycompany.com

and I get the correct global IP address from the Non-authoratative answer.

Question: What am I missing? Is this DNS, firewall (Watchguard FB1000), or something else?

Much thanks in advance.
Doug

 

[BigFunkyChief]

Check the DNS cache on your primary Win2k3 server (192.x.x.x net). Also, you said NSLOOKUP resolves correctly, but what about a ping from your 192.168.x.x network?

"Rule #1 - When stumped, check your Event Logs!

 

[dougmbti]

Not sure what "check the cache" means. When this server was built, it was built with all the default settings and options.

Ping works just fine to both the

http://www.mycompany.com

and the global ip address.

The results for the nslookup are as follows:
*** Can't find server name for address 192...: Non-existent domain
Server: Unknown
Address: 192...

Non-authoritative answer:
Name:

http://www.mycompany.com

Address: correct global ip

 

[jfk8680]

Sounds like a NAT problem. The stand-alone server in the 10.x.x.x subnet hosts the website you are trying to reach? If so then maybe your router/firewall is blocking the traffic back into your LAN...
Try reaching the site by using the 10.x.x.x address.

Jeffrey

 

[dougmbti]

The 10... address would work, but now I have the host header turned on because we have multiple sites and they all use the same global ip.

 

[markdmac]

I see this all the time. You simply need to create a local DNS entry for the

http://WWW site.

Point it to a local IP and be sure you have a matching Header record to that IP.

I hope you find this post helpful.

Regards,

Mark

 

[BigFunkyChief]

Markdmac, I see that alot too...but I think this user is running a .local internal domain, not a .com domain.

Doug, can you confirm that? If so, I don't see how the

http://www record

would solve the issue, other than making

http://www.mydomain.local

resolve to the website.

Doug, you want the

http://www.yourdomain.com

to resolve, right?

"Rule #1 - When stumped, check your Event Logs!

 

[dougmbti]

Correct on both questions ...

I have mycompany.local as the internal domain and we host our mycompany.com web site on a web server in the "dmz" of our network. Our ISP actually "hosts" the zone files, etc. we just host the actual web site on our web server. I want users on the internal network to be able to use their IE browsers and get to

http://www.mycompany.com.

Right now it errors out and the nslookup results are in a previous post.

 

[dougmbti]

One more test ... if I edit my host file with the correct 10... address and

http://www.mycompany.com,

IE opens up just fine. Remove the entry and it does not work.

This has to be DNS right?

 

[markdmac]

As I specified above....

Your test confirms this.

I hope you find this post helpful.

Regards,

Mark

 

[dougmbti]

Ok, when I try to add the alias in the internal dns tree, it is still tagged with .local information. How do you create a separate entry just for the .com information that is separate from the .local information? Does a new zone need to be created or can you have a .com alias in the .local zone?

I know enough about DNS to function, but I'm not sure what to do with your confirmation that it is a DNS issue.

Thanks for your help.

Doug

 

[jfk8680]

Doug,

You have to create a forward lookup zone "mycompany.com" and create a host (A) record called 'www' with the correct IP address.

Jeffrey

 

[BigFunkyChief]

Correct me if I'm wrong, but once they do that, then they have to manage DNS on the server for that entire domain, right?

The reason I ask is because then it becomes a pain managing your external DNS records for your internal users. Not that it can't be done, I just know my company had alot of DNS A records, and we tried maintaining it on an external name server and internally for our clients and it was just something extra to maintain.

I don't think the above solution is the best one, but it will work for what you're doing Doug.

"Rule #1 - When stumped, check your Event Logs!

 

[jfk8680]

They have to add all DNS records they need to resolve for the internal clients. When a client does a DNS query on a DNS server, the server will check if it is authoritative for that domain/zone. If it is (ie when there is a forward lookup zone configured) then it will try to resolve locally (a simple query), if it is not (there is no forward lookup zone configured) it will forward the DNS query to the DNS server that *is* authoritative for the domain (a recursive query).

For as far as I can tell there are two options to resolve this issue: correct the NAT problem so the internal clients can reach the website using the public IP address or manage the DNS zone mycompany.com on your internal DNS servers.

I agree that option one is a better solution but as a workaround you could choose option 2.

 

[dougmbti]

Based on everyone's explanations, I will configure a forward zone to get this working for the shor-term. I will also investigate the firewall for any mis-configurations for a long-term solution.

For what it's worth ... does anyone else use a Watchguard FB III/1000 that might want to lend some insight? .....

Thanks for all your help!

Doug