In my office I run a windows 2k3 domain controller with DNS running. My forward lookup zone maps to edevs.com, and the ip address of the server. The domain controller is also running DHCP and WINS. All computers (not servers) in the internal network get their IP, gateway, subnet, wins, and DNS ip addresses from DHCP settings.

The IP address of the Gateway / Router is 192.168.111.1, and the IP address of the PDC is 192.168.111.3.

The external DNS servers, i.e. the ones outside the firewall are 65.32.1.65 and 65.32.1.70. My DNS server (192.168.111.3) is set up to forward to the external dns in the event that the DNS entry is not found.

Whew, so, here is the problem.... I am hosting my mail service with network solutions, so if you were to ping mail.edevs.com.networksolmail.net internally, it would ping the network solutions mail servers. If you were to do a nslookup on the same name (mail.edevs.com.networksolmail.net) it would resolve to the same IP that comes back in the ping reply, BUT the DNS Server being used in the nslookup is the PDC which is to be expected (because it will forward DNS queries). There is no mail.edevs.com entry or a MX record in the internal DNS server.

When I ping mail.edevs.com, or nslookup mail.edevs.com, why isnt the DNS query sent outside the building? There are no DNS records defined on the internal network for mail.edevs.com. How can I modify my internal DNS to route traffing requesting mail.edevs.com to the network solutions mail servers?

I just want to write code, any help would be much appreciated.

I have a similar setup here, and I think you made a mistake with the DNS zone setup/ AD naming setup

The thing is: local domains should be named as name.local, not name.com. .local is a non-known root domain so it won't mess with checking root dns systems to figure out what the ip is.

My pdc server is on 192.168.0.1 (win2k3 domain). I have a domain, sd.local. In the properties of the server (not the zone) in dns management: forwarders: just the external ISP DNS systems, not itself nor the router. The forward zone is sd.local, and properties of that have: servername.sd.local as primary server in startofauthority and servername.sd.local as nameserver.

Now, the thing is: when I ping somesubdns.sd.local, I get the local address. when I ping www.sd.nl, I get the IP address on the internet of our co-located server, as it's not local by definition, only .local domains are local.

As default gateway I've defined my router's IP address for all machines. As DNS server, the pdc. My router is also my (hardware) firewall so my PDC isn't required for routing.

I think it gets confused by the edevs.com. that's a local domain, so it never goes to the internet to ask for an IP address.

As you're using win2k3, you can rename your AD domain name, so I'd suggest edevs.local. Then, edevs.com is not local anymore and it will go to the root dns for com to ask for edevs.com's dns host, which is networksolutions and you'll get your ip address.

Awesome explanation and it makes sense. Thanks again for the help.

I know what you're going through . Oh man the weekends I wasted on this dns/ad shit.

This is a sore topic for me to as my setup is similar here at the office. I've heard about the .local naming convention before, but mine works a little different. Our extrernal domain name is 3pointoh.com (public site). Our PDC is named internal.3pointoh.com. This way I can create multiple test websites that work from the outside world such as http://test.internal.3pointoh.com.

alexdresko wrote:

This is a sore topic for me to as my setup is similar here at the office. I've heard about the .local naming convention before, but mine works a little different. Our extrernal domain name is 3pointoh.com (public site). Our PDC is named internal.3pointoh.com. This way I can create multiple test websites that work from the outside world such as http://test.internal.3pointoh.com.

Ah, ok, though your PDC has a public IP then (or is re-routed via the router/firewall) ? In that case you're right, mine isn't reachable from the outside world.

Yes, my PDC has an external IP address. Most people would say that's a bad idea, but it's been sitting in the DMZ for almost 4 years (ie, no fire wall) and it's never been broken in to. And after installing Win2k3 Server SP1 this morning, I feel just that much safer.

alexdresko wrote:

Yes, my PDC has an external IP address. Most people would say that's a bad idea, but it's been sitting in the DMZ for almost 4 years (ie, no fire wall) and it's never been broken in to. And after installing Win2k3 Server SP1 this morning, I feel just that much safer.

Isn't a DMZ a subnet controlled by a firewall?

Otis wrote:

alexdresko wrote:

Yes, my PDC has an external IP address. Most people would say that's a bad idea, but it's been sitting in the DMZ for almost 4 years (ie, no fire wall) and it's never been broken in to. And after installing Win2k3 Server SP1 this morning, I feel just that much safer.

Isn't a DMZ a subnet controlled by a firewall?

I always assumed it to mean a computer that is "out in the open"

(pronounced as separate letters) Short for demilitarized zone, a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.

alexdresko wrote:

Otis wrote:

alexdresko wrote:

Yes, my PDC has an external IP address. Most people would say that's a bad idea, but it's been sitting in the DMZ for almost 4 years (ie, no fire wall) and it's never been broken in to. And after installing Win2k3 Server SP1 this morning, I feel just that much safer.

Isn't a DMZ a subnet controlled by a firewall?

I always assumed it to mean a computer that is "out in the open"

(pronounced as separate letters) Short for demilitarized zone, a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.

No a DMZ is a subnet behind a firewall that is not connected directly to the internal network. So if you want to connect to a system in the DMZ you go through the firewall to the DMZ and if you want to connect to it from the internet you also go through the firewall. So even if you're hacked (webserver is hacked through url buffer overflows for example, script bugs etc), the internal network isn't reachable for you, as you have to go through the firewall.

Your machine was just what we call here a 'sitting duck' (unless you used the build in firewall in win2k3 and disabled a lot of services/ports )

I know I shouldn't believe everything I read on the internet, but...

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm "In a true DMZ, incoming requests must first pass through a DMZ computer before reaching the firewall. "

http://www.realvnc.com/pipermail/vnc-list/2002-July/031637.html "It's jargon for an area of a LAN that is outside of your protection and shut off from the rest of the LAN."

OTOH http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci213891,00.html "Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data."

I like the term Sitting Duck better anyway.

alexdresko wrote:

I know I shouldn't believe everything I read on the internet, but...

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm "In a true DMZ, incoming requests must first pass through a DMZ computer before reaching the firewall. "

Cool Another computer . "Sponsored by Dell"

http://www.realvnc.com/pipermail/vnc-list/2002-July/031637.html "It's jargon for an area of a LAN that is outside of your protection and shut off from the rest of the LAN."

Sounds ok

OTOH http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci213891,00.html "Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data."

I like the term Sitting Duck better anyway.

haha . Well, it's not bad to have a system without a firewall on the internet, as long as you only enable the ports which have services behind them. So if you only serve webpages, you can in the TCP/IP filtering settings, just enable 80 (and 443 for ssl) and that's it. IT greatly mitigates the attack surface, and brings it down to: how strong is your webserver. Which mainly comes down to how good do you develop your scripts . Nowadays IIS is pretty solid, if you remove all default junk of course like an internet printer link (who is so stupid to cook up such a feature? Must be the same brilliant mind who invented the feature to hide file extensions in explorer)