Split DNS needed -- websites not viewable on LAN

7 posts / 0 new
Last post
#1 Tue, 11/20/2007 - 05:00
AaronCP

Split DNS needed -- websites not viewable on LAN

How do I set up Split DNS using Virtualmin? None of our websites are viewable on our internal LAN, but they work fine from outside our network. I've searched the net and think I need to set up Split DNS.

If that's the case, how do I do so with Virtualmin. If not, what do I need to do so our internal network can view our websites?

Thanks, Aaron

Tue, 11/20/2007 - 19:15
ConRadical

I think you need to find your problem before you try a solution.
Do a nslookup on your domain from internally and see what IP address you get. I've had many clients have this problem when they have an Active Directory setup using domain.com rather than domain.local. It makes for an interesting internal/external DNS issue. None the less the problem can usually be resolved by adding s second www record to the internal dns zone.

If you get the external IP when you the lookup check your router/firewall settings.

that's my 2 cents, Good luck!

Wed, 11/21/2007 - 03:18 (Reply to #2)
AaronCP

Yep, I get an external IP address.

What settings am I looking to change in the router/firewall?

Thanks
Aaron

Wed, 11/21/2007 - 03:58 (Reply to #3)
ConRadical

That would depend on the kind of firewall you have. Basically you need to make sure there that LAN to WAN traffic isn't blocked. Do a tracert and see what it's doing.

Wed, 11/21/2007 - 11:19 (Reply to #4)
ConRadical

<b>ConRadical wrote:</b>
<div class='quote'>I think you need to find your problem before you try a solution.
Do a nslookup on your domain from internally and see what IP address you get. I've had many clients have this problem when they have an Active Directory setup using domain.com rather than domain.local. It makes for an interesting internal/external DNS issue. None the less the problem can usually be resolved by adding s second www record to the internal dns zone.

If you get the external IP when you the lookup check your router/firewall settings.

that's my 2 cents, Good luck!</div>

Ah, your virtualmin box must be on the LAN and you're using NAT and port forwarding to make it connect, correct? If that's the case it sounds like your router isn't routing right.

Alternatively, you can fix this by adding the domain.us to your internal DNS server and adding the local IP to the zones. This does become a management nightmare though because you now have two seperate DNS servers for the same thing and if you want to change something on one you must do it on the other. ---&gt; This was your solution, correct? I was a little unclear from your comment.

Wed, 11/21/2007 - 11:07
SBNDawg

I have a .us domain on our VM box. Our AD domain is a .local non-standard tld. What I did to solve this problem and make sure the .us domain is visible inside the .local domain was to make a secondary zone on our DNS servers that only reads the DNS info from the VM box.

Works just fine.

Another possibility would be to edit local machine host files and include your info in that file. But, if you have more than a few boxes which I figure you do if you have an AD domain. Editing the host files would be an ugly solution.&lt;br&gt;&lt;br&gt;Post edited by: SBNDawg, at: 2007/11/21 11:09

Tue, 02/26/2008 - 07:19
WillSargent

Aaron,

As an admin that has a split DNS infrastructure for my AD domain(both internal and external domains are .com), you are absolutely correct in that a split DNS infrastructure is the best way to attack your problem. I have one for my overall systems (with those DNS servers hosted on AD boxes, with an ISA 2006 firewall), and it works perfectly. User's computers work the same internally or externally.

However, when you put the virtualmin system into the mix (since it is really independent of my other DNS servers) you have a problem that I haven't easily solved yet.

Strictly speaking, virtualmin does not support split DNS, mainly because on a single box, it would require two copies of BIND running, bound to different internal IP addresses. One copy would be routed to via your NAT box to respond to external requests. The other would be the DNS server that your internal boxes use to not only resolve virtualmin addresses, but also recursively serve all other DNS requests as well. This gets tricky fast, and I recommend reading about split DNS over at isaserver.org for all the gory details.

The other folks are also right in that some NAT devices won't cause this problem. However, that's beyond my scope...

But you came looking for answers, so here's a simple one.

If you have another (non virtualmin) DNS server on your local network (like an AD server) that all of your client machines go to for internet DNS (internal client DNS server ip is 192.168.???.??? for example), and that DNS server does recursive lookups for zones it doesn't serve, then you can manually bandaid the problem.

On that DNS server, manually create each website zone you want the internal clients to go to. For example, if your AD zone is myad.com you already have a zone for that. But lets say you are hosting mywebsite.com. You need to create a primary zone on your internal (only) DNS server that serves that. The manually enter the records like www.mywebsite.com and point that record to 192.168.1.???. Now, internal users will get that address from the myad.com DNS server, because they go there FIRST, before your ISP's DNS servers to get ip addresses. External users get forwarded directly to your virtualmin DNS server and get the &quot;real&quot; ip address from them. External uses do not ever get the private ip, because the myad.com DNS server is not serving DNS requests to the public web.

That is the essence of split DNS, and it is completely legal and highly recommended.

I wish there was a process to automate this under virtualmin, and I am bugging the guys about it, since it is really a pretty common scenario, and will only get more so as virtual servers continue to increase in popularity.

Good Luck, and check out isaserver.org for all the real-deal on split DNS.

Topic locked