EA6500 internal DNS
Hi All,
I upgraded from a WET610N to the newer EA6500 recently. I have a problem with connecting using my public DNS name to the local network. It works when I am not on the internal network, but not on the internal network itself. I do see using the prompt that the name is resolved properly using nslookup. None of my machines have any entries in their /etc/hosts, so they rely on the public DNS lookup. Entering the IP Address locally also works, but I would rather not make /etc/hosts entries for my machines. Any ideas where to look?
Regards, Brian
I have read about this from other posts here in the forum. I believe your concern has something to do with it. To protect your router against possible DNS Rebinding Attacks, certain actions will not work from behind a router. Pinging the router’s WAN IP address from a client that is behind the router will not work. To test this functionality, this must be done from the outside of the router or remote area.
To read more about DNS Rebinding Attacks please check the links below:
http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dn...
http://blog.opendns.com/2010/07/27/calling-craig-heffner/
Similar Messages
-
DNS in DHCP Pool (Internal DNS issue)
I know that we can setup multiple DNS server under DHCP pool. But I like to make sure the order.
I have multiple branch offices.
Let us say that Branch 1 office has a router with 10.30.1.1 as default gateway.
Our internal DNS is 10.0.0.1 and 10.0.0.2 as Pri and Sec.
My order of DNS server is like below.
1. gateway
2. internal DNS
3. public DNS provided by ISP
I saw couple of issues that when I put internal DNS first. Particular situation is when IPsec is not working, users could not access internet through domain name because they had internal DNS which is not reachable.
But, when gateway is first order, I am not sure whether user are able to access internal website because gateway DNS doesn't have internal DNS records.
So, my question is that. what should be the best order for DNS setup under DHCP among default gateway, internal DNS and public DNS? Our current setup doesn't have even gateway address, it only has internal DNS addresses only.
ip dhcp pool ccp-pool1
network 10.30.1.0 255.255.255.0
domain-name test.org
default-router 10.30.1.1
netbios-name-server 10.30.1.1
dns-server 10.30.1.1 10.0.0.1 10.0.0.2 24.25.5.60Thank you, Richard.
You are right. when I setup router IP for DNS server in DHCP pool. it did not work.
Let me ask regarding external DNS forwarding.
I like to know the process of exteranl DNS.
User --> Internal website --> OK with internal DNS
User --> External website --> Internal DNS forwarding to External DNS
We have our own external DNS (ns), in this case, if external DNS (ns) is down, every branch users are not able to resolve any external IP because internal DNS can't get reply from external DNS?
2nd question)
IPsec is split-tunneled, but in this case, every DNS request goes internal DNS which is located in HQ and goes back through IPsec? Usually Split tunnel doesn't go internet traffic through IPsec but internet directly.
3rd Question)
what is for ip name-server x.x.x.x when I setup ip name-server 8.8.8.8 and I tried to ping 8.8.8.8 from router, it didn't work. Am i missing something?
https://supportforums.cisco.com/thread/230711
Thanks for your time and knowledge. -
Internal DNS - emailsrvr.mydomain won't resolve, IP does - www works.
Internal Mail won't resolve to emailserver domain, but LAN ip is fine
Hey gang, longtime reader first time poster.
After wrestling with this issue, i'm about out of ideas.
Here's my setup.
Leopard server 10.5.4, running OD master (all rocking),
AFP, Firewall, DNS, (mobile) network home directories.
I'll call this "xserve.mydomain.com "
Its NAT'd IP is 192.168.1.102.
It's a FQDN, kerberos is running and happy, all is well.
There are about 12
clients, each with a desktop (imac) and laptop (macbook).
I have a second (windows 2003 sbe) server hosting the following
services: Exchange and Web (for now).
I'll call this winsbe.mydomain.com
Its NAT'd IP is 192.168.1.101
My External DNS setup is this.
Our DNS hosting is done by our registrar (network solutions).
We own 4 static IPs from our ISP.
One IP is for our router/firewall providing NAT
to internal clients, and the xserve is on DMZ, with
its OSX firewall service turned on.
One IP is for the
windows server. (the last two, if you've been counting, are unused .
Via Network Solutions "advanced DNS", I have our zone
configured. "xserve.mydomain.com" points to its WAN
IP (66.xxx.xxx.198).
www points to 66.xxx.xxx.194.
MX records refer to "winsbe.mydomain.com" via
WAN IP 66.xxx.xxx.194 as well.
All outside services resolve correctly.
IE, i can hit the website and send/receive email from mydomain.com.
My internal DNS as setup as this:
primary zone= mydomain.com
nameserver= xserve.mydomain.com
mx record= winsbe.mydomain.com
xserve.mydomain.com has an A record to LAN IP.
winsbe.mydomain.com has an A record to LAN IP.
www is a CNAME record to winsbe.mydomain.com. <----i'm not sure about this one but it works.....
My forwarder IP points back to my Router (which seems to give me better performance than using ISP
DNS from here..)
I know this is working fine insofar as the webserver, as
an nslookup (www.mydomain.com) internally resolves www to 192.168.1.101.
mydomain.com and www.mydomain.com hit the webserver internally
on client browsers. rock.
Again, forward AND reverse nslookups internally resolve to winsbe.mydmain.com/92.168.1.101
Here is my guess as to my problem,
my internal hostname + a record for the windows server the same as the MX record
which has an alias from www.
I think it's getting effed in there somewhere?
If I setup email clients with the windows server LAN IP rather than
the domain "winsbe.mydomain.com" it all works fine.
I'd frankly be willing to half-*** it with this solution,
but each client will require a mobile computer, so we can't have that
I feel like i'm on the right track, but
just can't make the breakthrough.
Am I barking up the wrong tree here?
Here is a last question,
I have my firewall/router as the "Forwarder IP Address"
in the last page of Settings in server admin. When i put
my ISP's DNS servers, i always get a 2 second delay
for any web query on any client.
I have "127.0.0.1" as the first DNS entry in xserve Network Preferences.
The xserve is the only DNS entry in the client computers.
This isn't a "bad practice" or anything is it?For the curious, my named.conf below (haven't messed with it):
// Include keys file
include "/etc/rndc.key";
// Declares control channels to be used by the rndc utility.
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
// Default controls
controls {
inet 127.0.0.1 port 54 allow {any; }
keys { "rndc-key"; };
options {
include "/etc/dns/options.conf.apple";
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
// query-source address * port 53;
// a caching only nameserver config
logging {
include "/etc/dns/loggingOptions.conf.apple";
// Public view read by Server Admin
include "/etc/dns/publicView.conf.apple";
// Server Admin declares all zones in a view. BIND therefore dictates
// that all other zone declarations must be contained in views. -
Internal DNS server and NAT routing issue.
Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
ThanksIs there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying. -
Internal DNS resolution issue - almost all external sites working
I administer an Xserve running 10.5.8 Server. This client is running internal DNS due to a few internal services (iChat, mail, VPN, etc) - but his website, of the same domain, is hosted externally at a hosting provider. This is where I'm running into odd problems. For examples:
ichat.company.com - 10.0.1.100 (when inside the network, also has FQDN on Internet)
mail.company.com - 10.0.1.100 (same as above)
www.company.com - xxx.xxx.xxx.xxx (the actual public IP address of the web server at the host)
Do I need to do it this way? If I don't define the "www" record internally, and point it to the external IP of the hosting provider for the website, the clients inside the network can't see the website, because the internal domain services aren't answering the "www" question and won't hand off to the internet records. It's frustrating because every time the client has a subdomain added to his website, i have to add a record on his internal DNS or it won't resolve at his office. example:
newdomain.company.com - xxx.xxx.xxx.xxx (public IP of the web host, or it fails)
Is there a way to have internal DNS for a domain answer most but not all questions for the domain?
- BillJust as an aside, you could potentially setup a subdomain for the internal systems, e.g. 'corp.company.com' and setup the internal services in this domain - ichat.corp.company.com, mail.corp.company.com, etc.
Then to get to the internal systems users use those .corp.company.com hostnames and the rest of .company.com gets sent upstream.
It may or may not be sufficient for your needs. This kind of model works well for static users that only work in the office but may not work so well for mobile users. -
Access website with same name as internal dns...
Hi there
I've set up a server with internal dns zone as 'example.com' with the machine name being 'server.example.com'
Everything has been going well, but we cannot now access our externally hosted website at 'www.example.com' I now realise from looking at other posts on the web that perhaps I should have not used the same dns address internally as is used externally, but we have plans to bring mail servers in-house and so thought that this would be the correct way to go.
Can anyone offer advice on the correct way to resolve this?
ThanksFrom what you're saying then, I need to change the DNS host name of the internal network to example.net or similar.
You can use a level within your own domain, such as server.internal.example.com, where server is the host name and internal identifies a host within your network, and example.com is a domain you own. Larger networks use this construct to identify hosts within a corporate site or a particular building, such as www.corp.example.com, www.frobnitz.example.com and www.boston.example.com.
I assume it doesn't matter if I don't own the domain example.net?
Do not use a domain that you do not have permission to use.
Only use domains you own (best), or domains that will never be activate.
It's best if you use a domain you own or a subdomain of a domain you own, or (less desirably, but functional) use a Top Level Domain (TLD) string that will never be a domain (a completely made-up domain such as server.tvkiddomain where tvkitdomain is a text string that will never match a real domain such as .COM or .NET or .BIZ or .TRAVEL or the country codes or the gazillions of these TLD strings that are coming on-line. (That there are TLDs coming on-line makes this somewhat more risky; you can end up using a domain you don't own of somebody lights up a matching TLD.)
The second parallel domain is small cost and simple, particularly as you need few or no services for it from your registrar. (When I buy domains for a site, I usually purchase several TLDs around the domain -- such as the classic big three .COM, .NET and .ORG -- and then have these available for just this sort of purpose. It's easier to buy these up front than to add them later, given the usual domain squatting that can happen. And it's not much money. And it's flexibility for later network activities, and far easier to describe and to support.)
Will the changeip command change the DNS name of machines that I've set up, so that server.example.com will be renamed server.example.net? I assume I'll need to unbind and rebind any client machines that I've bound to the server?
changeip would be the tool I'd use, yes. And I'd reconnect, yes. There's a DNS command around that flushes the DNS caches on the clients; you'll also need to clear that.
Prior to Leopard, on each DNS client:
sudo lookupd -flushcache
Leopard DNS cache flush, on each DNS client:
sudo dscacheutil -flushcache
Thanks for the pointer to the other post, was helpful, but I think that changing the internal DNS host name will be the simplest option...
IMO, the simplest option is to avoid domain name collisions and to avoid domains you don't own; to maintain the basic operations and assumptions of DNS.
Bad DNS is one of the few things you can do that can screw up other hosts and other sites on the Internet. -
New Asa 5505... Anyway to set up behind home router with no internal DNS?
Since the home router is the DNS server, the Asa has no internal DNS which is probably the cause of no internet. Is there any way around this?
Can you not simply use the ASA as the DHCP server and include the DNS server in your DHCP configuration ?
Jon -
Is anyone set up to use anycast for internal DNS?
Good Afternoon,
I've been considering using Anycast to provide some redundancy for internal DNS lookups. Configuring DNS and subsequent slave zones in Leopard is easy enough and as I understand it, Anycast is just a way of configuring routers so that one IP address can resolve to many different machines.
I see some of the benefits of using Anycast in that we can have the same 2 dns ip addresses in perpetuity and that as long as one node is up, people will be able to get out.
So my question to you guys: Has anyone done this? If so, is there anything I need to look out for before I start? Is there something you wish you'd known before you started down this path.
I'd love to hear your experiences and read any documentation you might have kept. I thought Mr Hoffman's write up on his DNS services was really excellent btw.
Cheers,
daveDo you have a particularly large infrastructure?
IP Anycast is usually implemented via BGP announcements from your router(s), with each router using the BGP tables to determine the 'best' server to use. If you're doing this for internal DNS then that assumes you're already running IBGP.
Even then, BGP is a pretty dumb protocol - all it does is say 'hey, here's how to get to a.b.c.d IP address'. It has no idea whether the specific server/service you're after is available at that address.
In other words, even if you setup IP Anycast via IBGP you'll still have clients routing to a dead server unless you can somehow update your BGP tables when a server goes down. Not a trivial task for most routers.
It sounds like what you really want is more load balancing than IP Anycast. There are numerous load balancers than can do this. Another option (if your DNS servers are physically close) is to use some kind of failover process so that the second server assumes the role (and IP address) of the first server should it fail (and vice versa). That option is built-in to Mac OS X Server (although it takes a little command-line jiggling to get it working).
Then again, the whole point of defining multiple DNS servers on the client is that the client will automatically fail over to alternate servers if it doesn't get a response from the first - in other words, the clients already have built-in failover for DNS (although the user will notice lookup delays when the primary server is offline). -
DNS resolution on Anyconnect - multiple different internal DNS servers
All,
We have multiple different internal windows AD domains within our network, that currently do not replicate their DNS zones between them.
Is there anyway with an ASA/anyconnect VPN to create a configuration so the ASA inspects the DNS lookups from a user connected via the anyconnect VPN client, and route it to a defined internal DNS server?
For example I have three internal AD domains site1.com with a dns server ip of 1.1.1.1 , site2.com 2.2.2.2, site3.com with a dns server ip of 3.3.3.3, when a user VPN's in and performs a dns lookup for the name server1.site1.com the ASA see's it is for site1.com and routes the lookup to 1.1.1., however when a user performs a dns lookup for server1.site2.com, the asa see's its is fro site2.com and routes the DNS lookup to 2.2.2.2.
Any thoughts on alteratives to over come the problem also welcome and/or if anyone can point me to a link that explains the function of "mulitple DNS server groups, which is located in the ASDM interface under Remote Access VPN->DNS (as I have not been able to find a plain english explanation of the function as I am unsure if this does what I am looking for)
ThanksHi Dominick,
I have a solution for your problem. You will need to log into the CLI of the WSA and issue the following commands:
s370r01.csw> dnsconfig
Currently using the local DNS cache servers:
1. Priority: 0 10.9.8.8
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.
- SEARCH - Configure DNS domain search list.
[]> localhosts <----- Hidden Command
Local IP to Host mappings:
Choose the operation you want to perform:
- NEW - Add new local IP to host mapping.
- DELETE - Delete an existing mapping.
[]> new
Enter the IP address of the host you are adding.
[]> 10.1.1.1 < -------- IP of the M series
Enter the canonical host name and any additional aliases (separate values with spaces)
[]> Host name of the M series. Hit enter until you get back to the command prompt and type commit then enter.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator -
CAS array internal DNS IP address best practice
Hi, Just a question about a best practice approach for DNS and CAS arrays.
I have an Exchange 2010 Org. I have two CAS/HUB servers and two MBX servers. My external DNS (mail.mycompany.biz) host record points to a public IP address which is NAT'd to the internal IP address of my NLB CAS cluster. I maintain a split brain
DNS. Should the internal DNS entry for mail.mycompany.biz also point to the public IP address or should it point to the internal IP address of the NLB cluster?A few comments:
The reason you have split DNS is to do exactly these sort of things: inside users hit the inside IP and outside users hit the outside IP. You'll have to look at your overall network design to see if it makes sense for users to take this shortest route
to the services, or if there is value in knowing all users simply take the same path.
You should not be using the same DNS name for your web services (e.g. OWA) as you are for your CAS array. This can cause very long connection delays on Outlook clients, not to mention overall confusion in your design. Many orgs will use something
like "outlook.domain.com" for the Client Access Array and "mail.domain.com" for the web services. Only the later of these two need to be exposed to the internet.
Keep in mind, Exchange 2013 dramatically changes this guidance. There is no more CAS array, and the
recommended design is to use dedicated namespaces for each web service.
Mike Crowley | MVP
My Blog --
Planet Technologies -
I have an OS X 10.6.8 Server with DNS and Mail running on it.
The internal domain does not match the external domain.
Users can send and receive IMAP email on iPhones, iPads and laptops whilst outside the network using 'mail.mydomain.com' with corect account details.
A and PTR lookups resolve correctly using the internal domain on the server and the external domain on the internet.
webmail.mydomain.com also works perfectly outside the network but is unreachable using https://webmail.mydomain.com:443 internally - and it should.
There is a ALIAS set up in the servers DNS that points webmail.mydomain.com (external) to server.mydomain.com (internal).
I am using a ZyXel P-660HN-F1Z Router with the firewall turned off and all the port forwarding correct... otherwise the external mail wouldn't work!
Previously we used a BT 2wire Gateway that didn't do anything clever - but all the mail worked internally and externally.
Is it my router config, or the DNS on the server screwed?
Would really love some help.
Thanks
SimonThere's not enough information to be sure of your configuration.
it would seem appropriate to set up your external domain - I'll refer to that external domain as example.com as your mydomain.com is a real and registered domain - as the MX record for your internal domain which I'll refer to as example.net.
With this configuration, there would be no internal definitions (A machine records or CNAME alias records for any of the example.com hosts in your internal DNS services.
If you're using the same example.com domain both within your local network and a second example.com implementation on a second and separate and external DNS server configuration, then you'll need to reference all the hosts directly in both places; in your internal DNS services configuration, and you'll need to replicate all definitions of all hosts in your external DNS services configuration.
See if your internal network can ping (if that's enabled) or telnet into port 25 or such using your external domain name, as that'll tell you if your router is smart enough to pass packages destined for your public static IP address back into your network.
Your internal hosts should all references ONLY your local DNS server on your LAN, and NO other DNS servers. Again, your internal hosts should reference ONLY your internal DNS server, and should not also reference your ISP DNS or other external DNS servers.
There's a list of internal DNS services setup information here, and there are also links from that article to articles around setting up external DNS services; DNS inside your firewall, and DNS outside your firewall. -
Situation:
On our wifi iPhone/iPod Touch devices correctly receive DHCP information.
Access to the outside world works well with addresses resolving correctly.
However these devices cannot browse to internal names - only the underlying ip address.
Why?
Additional Info:
The DNS servers provided by DHCP are both internal.
Windows PC's using identical DHCP settings (served from the same server) resolve internal and external addresses successfully.
Changing the DNS servers to an external source is not an option as we want to use the Apple devices to access internal content.this sounds pretty much like my problem at http://discussions.apple.com/thread.jspa?threadID=2534692&tstart=0. Is it possible your internal DNS zone is called <something>.local?
-
Internal DNS Caching - Different than External DNS Caching?
Possibly. Just check the TTL of your internal DNS records like this:
Batchfilenslookup -type=soa rackspace.co.uk
Where rackspace.co.uk is the name of one of your internal machines.Oliver Kinne wrote:DNS per se allows you to set the TTL (time to live) of a DNS record. Public DNS entries are set with TTLs of anything between 5 minutes to 72 hours - depending on the records and who set them up.You can set the TTL of DNS records on your Microsoft server - see here: https://support.microsoft.com/en-us/kb/297510So it's up to you how long for DNS entries are cached for internal records.Of course, technically clients can ignore the TTL and cache records for longer or even a shorter amount of time. The TTL is just a "recommendation", but most clients adhere to the TTL given out by the DNS server.Ohhh! Okay, I didn't know that cached DNS records expired. So, basically, my internal DNS server is stating that the TTL on our internal DNS info isa period of time of less than that of external DNS sources such as those that...
-
What InkMaster said - you HAVE to use internal DNS to resolve internal systems, no external DNS server will ever work. Either don't use the external ones, or use them on your DNS server as forwarders.
Many DNS tools will tell you what server is quickest at resolving external names, and has no relevance to internal systems.I currently have a dilemma with our internal DNS servers. I ran namebench and the recommended configuration is as follows:
Primary Server: 4.2.2.2
Secondary Server: 209.244.0.3
Tertiary Server: 192.168.30.54
I changed the DNS settings on my workstation but now I am unable to resolve internal addresses. Our DHCP server is handing out 192.168.30.53 and 54 as DNS servers. If I change the DNS settings on the DHCP server to the above recommended, internal users will not be able to resolve internal addresses. Is there a work around for this? I noticed a huge difference in browsing speed when using the recommended settings from namebench. Any help would be greatly appreciated. Thanks!
This topic first appeared in the Spiceworks Community -
Exchange 2010 internal dns name not resovling
We have 2 locations: primary and secondary(DR).
Exchange servers are located in the secondary(DR) location.
site to site vpn tunnel between primary location and secondary location.
All is well, users are able to get their emails UNTIL we
turn off our isp and switch to our backup ISP through a different firewall.
Internal dns still trying to resolve mail.companyname.com to internal ip, but is unable to since the vpn tunnel is broken. RPC over http or outlook anywhere is not establishing connection to external ip of mail.companyname.com thus we all lose connection to
exchange.
When i manually put in external dns server in my PC (for example: 4.2.2.2), mail.companyname.com resolves and outlook works, but then i am unable to get to my internal devices because now PC is forced to look to external dns.
any idea how i can fix this issue? I want outlook to work when i disconnect primary isp and vpn tunnel and force traffic to go through secondary isp.Hi,
According to your description, you need to change the configuration of the firewall on your primary site,
let the site can resolve the external ip which the record of mail.companyname.com pointed to.
Thanks.
Niko Cheng
TechNet Community Support
Maybe you are looking for
-
Macbook no longer connects automatically with my home network
When i travel and return home, my macbook no longer will automatically join my home network. Is there a way to make the current network your on a 'trusted' network or a default network to join via airport? thanks!
-
Case sensitive sql - table and field names
I have a weird problem. I have a client which works with MS SQL SERVER 2000. database collation name is: Turkish_CI_AS at the beginning I have this sql statement: "select value from [OWNER].setting" but because this table exists in database as "SETTI
-
Onedrive for Business: file checker
Hi to all, I've used filechecker tools for checking the naming compatibility for a set of files ready to be uploded on onedrive for bussiness. Using filechecker on network path (like \\server\folde) on folder that contains 400 files and 62 subfolders
-
Intro and Font Issue w/ Word 2003
Hey everyone, I'm new to the board here and looks like there's quite a bit of good info here. If this has been covered already somewhere, I'd like to check out the thread. The machine I'm working with is set up with Windows 2000, Office 2003 (with th
-
I am trying to open some *.avi files in quicktime, they are from my security camera at home. It will not open them, would anyone be able to help me? It says I need a plugin but it does not tell me which one.