clueless and need help.

[Simon Hobson]

Westy wrote:
>Here's the setup.  We have a consortium of three different\separate
>domains\organizations A.org, B.org, and C.org that are sharing a domain
>D.org. The server they share\use is housed at domain A.org.  Domain A.org
>also maintains the primary nameserver for both internal and external DNS.
>The server they share has two nic cards in it, each having a different
>subnet address for the internal network. Nic A 192.104.39.226 (label D.org)
>and Nic B 192.104.40.225. (label D-2.org)They all use one external address
>and the domain name D.org for the external network  Domain A.org uses the
>subnet 192.104.39.0 and the other two domains  B.org and C.org  both use the
>subnet 192.104.40.0.  Domain A.org has a zone setup in it's internal DNS
>with an A record that maps D.org to 192.104.39.226.  The other two domains
>B.org, and C.org do not have zones setup on their internal DNS.  Domain
>A.org has a zone setup for external DNS for domain D.org.  There is an A
>record in the file that maps www.d.org to the external address 205.46.83.71.
>We have a firewall setup that nat's the address 205.46.83.71 to
>192.104.39.226.  We're switching ISP's and I changed the external address to
>4.36.130.71 in the zone file and on the firewall.  From the outside all
>seems to be working well, other than reverse lookup is not enabled, you can
>get the page displayed with no problem if you use www.d.org , and  nslookup
>and dig return the correct nameserver information.  The problems are on the
>internal subnet 192.104.40.0.  Primarily with domain C.org.  Since the
>change of the external ip address domain C.org cannot attach to the server
>via http.  Domain C.org can ping and telnet to the server nic
>192.104.40.225, and login via telnet.
>
>Here's the problems.  The domains B.org and C.org cannot resolve the name
>D.org.  I'm told they do not need zones setup in there internal DNS.  That
>when the query to their internal DNS for www.d.org fails, the query will be
>sent out to the Internet and the primary nameserver housed at domain A.org
>will resolve the name www.d.org to 205.46.83.71, the firewall then nat's it
>to 192.104.39.226, and the page is displayed.  This is not working, domains
>B.org and C.org  get (page not found) via a browser when using the DNS name.
>Domain B.org can connect and display the page if it use's the ip address
>http://192.104.40.225. The domain B.org admin tells me the DNS name
>resolution has never worked from day one, they have always had to use the ip
>address.  Domain C.org cannot get the page displayed period, the domain
>C.org admin tells me they have always used the DNS name and not the address.
>Now, neither domain can ping by name. Both can ping and telnet successfully
>by using the ip address 192.104.40.225.
>
>Do we need to setup something in domain A.org's internal DNS to map the ip
>address 192.104.40.225 to d-2.org or should it be www.d-2.org ?  And, tell
>domains B.org and C.org to use that DNS name? Or, is there a way to set up
>the configuration in domain A.org, so all three domains can use D.org or
>www.d.org internally?  What would prevent domain C.org from being able to
>connect via http, when you can ping and telnet to the ip address?  This
>really puzzles me. The outside world and domains A.org and B.org can connect
>via http, even though domain B.org has to use the ip address rather than the
>DNS name.  Domain A.org,  has no problems connecting via DNS name or ip
>address, it can ping and telnet also.  Do we need to setup something (a zone
>or an A record and PTR record) in domains B.org and C.org's internal DNS
>that would map an ip address (192.104.40.225) back to d.org or d-2.org?  Or
>should the external nameserver be resolving the name for us?  I fail to see
>why changing the external ip address in the zone file and on the firewall
>would prevent domain C.org from connecting via http.  I assumed that with
>them being on the internal network, that the change would not have an impact
>on them. Is this assumption correct?

Well, from all that I THINK you have this :

in B & C, you use external name resolution to get the public IP of 
the server www.D.org from the nameserver in A - but you cannot 
connect to it from B or C.

My guess is that the firewall is not set up to take an internal 
connection, map it to the outside interface, and then map it back 
into the internal network. The quick and simple way to deal with this 
is to setup a slave (or stub) zone for D.org on teh internal 
nameservers for B & C with the master(s) specified as the internal 
address of the A nameserver. This will result in queries for D.org 
being sent to the internal server and being resolved to the internal 
address of the server.

Alternatively, configure a split horizon name service so that 
requests from B & C are resolved to the internal address, but all 
other requests are resolved to the external address. For this setup I 
suggest it would be overkill though.

Simon

-- 

NOTE: This is a throw-away email address which will reach me for as 
long as it stays spam-free, remove date for real address.

Simon Hobson, Technology Specialist
Colony Gift Corporation Limited
Lindal in Furness, Ulverston, Cumbria, LA12 0LD
Tel 01229 461100, Fax 01229 461101

Registered in England No. 1499611
Regd. Office : 100 New Bridge Street, London, EC4V 6JA.