DNS resolve on intranet for hosted domain

Unanswered Question
Apr 28th, 2008

Hi,

I am wondering how I can get the machines on my internal network to find my server as currently they are finding http server on my 857W and instead of my website I am getting into SDM!

I can get from WAN to LAN fine as port 80 has been forwarded to my server IP address but I think it's something to do with my dhcp dns relay.

I have included my config file and I would be greatful for any help and assistance!

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
t814687 Wed, 04/30/2008 - 18:53

Hi,

can you try the following:

ip nat outside source static tcp interface Dialer0 80 192.168.1.51 80

This should translate the DNS reply into the private address of your web server.

-serg

t814687 Thu, 05/01/2008 - 04:54

Another option is to add private IP to your hesktop's hosts file.

-serg

kayasaman Sat, 05/03/2008 - 09:01

Thanks Serg, sorry it's taken so long to reply!

I tried: ip nat outside source static tcp interface Dialer0 80 192.168.1.51 80

However my router doesn't like the syntax so I adapted it to: ip nat outside source static tcp 81.178.2.118 80 192.168.1.51 80 giving it my static WAN IP address instead.

This still didn't solve my issue though as I am still unable to resolve my URL.

My current hosts file looks like this:

[code]

127.0.0.1 localhost

127.0.1.1 optiplex-networks.tk OptiplexGX110

192.168.1.51 optiplex-networks.tk OptiplexGX110 mailhost

81.178.2.118 optiplex-networks.tk OptiplexGX110 mailhost

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

[/code]

which I think should be ok?

t814687 Sun, 05/04/2008 - 18:42

Hi Kaya, no problem, it's an interesting issue. we can try this :

ip nat outside source static udp 81.178.2.118 53 192.168.1.51 53

so the payload in the DNS replies from the ISP DNS will be NATed back to your private IP of the server.

as for the hosts file - I was talking about your PCs hosts file, they should have this line

192.168.1.51 optiplex-networks.tk

and the DNS reply will be overridden.

thanks

-serg

kayasaman Mon, 05/05/2008 - 07:28

I add the line:

ip nat outside source static udp 81.178.2.118 53 192.168.1.51 53

to my router and commented out all the lines regarding my external interfaces to my server in the hosts file and added:

192.168.1.51 optiplex-networks.tk

as a standalone for interface eth0.

However at this point I lost all connectivity to the server; ssh got kicked out, nfs exports went offline and DNS lookups for my domain still didn't work as my WAN IP 81.178.2.118 still kept refusing to 'loopback'.

I don't know if this has anything to do with the fact that I'm using a free domain which is forwarding the URL www.optiplex-networks.tk to my WAN IP address?

I don't seem to be able to access my FTP or SMTP services from the domain either, however I can access them via WAN IP which could be due to the fact that the company dot.tk where I got the domain from has set up a light DNS relay which only works for port 80?

t814687 Mon, 05/05/2008 - 08:13

Kaya,

sorry that the change caused the disruption on the network. It should not have that impact.

When you added the static NAT for udp what happened? Did you loose the connectivity?

I assume the modifications of the hosts file were done on a test PC, not on the actual server; server hosts file should stay the same.

What's your PC configuration? Can you post the ipconfig /all

-serg

kayasaman Mon, 05/05/2008 - 08:56

When I added the static NAT for udp I lost connectivity to the server itself since it has the IP 192.168.1.51.

I haven't got a test PC to work with so unfortunately I have to modify my server 'live', I've re-posted the config files (for my router, the hosts file, and ifconfig)

The server is a Debian/Linux based machine which is obviously being customized to suite my requirements.

Attachment: 
t814687 Mon, 05/05/2008 - 11:04

Looks like we need to move away from the design where you are using your router as a DNS forwarder...

Can you configure your linux server as an internal DNS server? Internal DNS server should resolve it's name and return it's private IP to the clients. For the external names your local DNS server should be configured as a forwarder. It should use your router 192.168.1.1 (it's a forwarer itself) to get the external name resolution.

Hope it makes sense.

-serg

kayasaman Mon, 05/05/2008 - 14:09

I thought about doing this before but was under the impression that the router would be able to either loop DNS quieries back through it or route the particular hostname to a spcified IP address.

Whenever I type in the domain name internally on a browser I get the error: connection refused by 81.178.2.118 which leads me to beleive that either the DNS quiery is stopping at the WAN interface or that the WAN interface is getting looked up.

I will comence building teh DNS server but if there is another way to solve this through the actual router it would be great.

t814687 Mon, 05/05/2008 - 16:07

1) On an internal test PC can you do

nslookup www.cisco.com and post the result?

2) Can you browse an internet website by IP?

Your router is forwarding DNS queries to those IP:

62.241.162.200

62.241.163.201

Looks like those are pblic ISP DNS servers but I can not get to them for some reason... Are they on-line and working?

Can you ping them from your LAN?

-serg

kayasaman Mon, 05/05/2008 - 16:21

This is the result for nslookup:

[email protected]:~$ nslookup www.cisco.com

Server: 192.168.1.1

Address: 192.168.1.1#53

Non-authoritative answer:

Name: www.cisco.com

Address: 198.133.219.25

If I run the command traceroute, I get the following:

[email protected]:~$ traceroute www.cisco.com

traceroute to www.cisco.com (198.133.219.25), 30 hops max, 40 byte packets

1 192.168.1.1 (192.168.1.1) 0.894 ms 0.901 ms 0.845 ms

2 l1.ar03.pipex.gs1.dsl.pipex.net (62.241.167.230) 1228.211 ms 1181.917 ms 1111.135 ms

3 ge-0-0-0.1.cr02.gs1.dsl.pipex.net (62.241.167.89) 1204.992 ms 1200.658 ms 1271.727 ms

4 GigabitEthernet4-0.GW4.LND2.ALTER.NET (146.188.53.221) 1298.629 ms 1413.395 ms 1253.794 ms

5 so-0-0-0.XR1.LND2.ALTER.NET (158.43.233.114) 1479.195 ms 1371.895 ms 1167.239 ms

6 so-2-0-0.TL2.LND2.ALTER.NET (146.188.7.226) 1324.075 ms 1044.654 ms 1096.132 ms

7 ge-1-1-0.IL1.NYC12.ALTER.NET (146.188.15.25) 1195.107 ms 1140.473 ms 1174.649 ms

8 0.so-7-0-0.IL3.NYC9.ALTER.NET (146.188.15.6) 1101.772 ms 973.340 ms 1008.659 ms

9 0.so-1-0-0.XL1.SJC1.ALTER.NET (152.63.50.26) 990.649 ms 1240.057 ms 1351.373 ms

10 POS6-0.GW5.SJC1.ALTER.NET (152.63.54.17) 1344.897 ms 1033.331 ms 1179.127 ms

11 cisco-sjc-gw.customer.alter.net (157.130.198.78) 1071.211 ms 1220.811 ms 1259.922 ms

12 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 1247.790 ms 1421.192 ms 1572.387 ms

13 sjck-dmzdc-gw2-gig2-1.cisco.com (128.107.224.77) 1397.973 ms 1240.912 ms 1394.438 ms

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * * *

23 * * *

24 * * *

25 * * *

26 * * *

27 * * *

28 * * *

29 * * *

30 * * *

I have full DNS capability however there was a problem in auto resolving my IPS's DNS servers which is why I had to input them manually. They are however relayed through 192.168.1.1 which is acting as gateway, dhcp server and dns server.

t814687 Mon, 05/05/2008 - 20:06

Before going forward your DNS server should resolve it's own FQDN into it's own IP address.

Make sure in your zone file for the domain optiplex-networks.tk there is an "A" record pointing to 192.168.1.51

sort of

www IN A 192.168.1.51

Did you create that?

kayasaman Mon, 05/05/2008 - 20:43

I tried putting the FQDN into the web browser of my server through an X11 tunnel over ssh with no luck! The server keeps referring to the WAN address.

My zone file is:

;

; BIND data file for optiplex-networks.db

; /var/named/optiplex-networks.db

;

@ IN SOA optiplex-networks.tk. optiplex-networks.tk. (

2008050601 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800 ) ; Default TTL

IN NS dns.optiplex-networks.tk.

IN MX 10 mail.optiplex-networks.tk.

www IN A 192.168.1.51

news IN A 192.168.1.51

mail IN A 192.168.1.51

dns IN A 192.168.1.51

dns2 IN A 192.168.1.1

So definately the problem either lies with the DNS config in the server or the router itself. The server is also set to master DNS mode.

kayasaman Tue, 05/06/2008 - 06:14

Hi, I've managed to make some progress!

I created a new zone file:

;

; BIND data file for example.com

;

$TTL 604800

@ IN SOA optiplex-networks.tk. info.optiplex-networks.tk. (

2008051603 ; Serial

7200 ; Refresh

120 ; Retry

2419200 ; Expire

604800) ; Default TTL

;

@ IN NS optiplex-networks.tk.

#@ IN NS ns2.example.com.

optiplex-networks.tk. IN MX 10 mail.optiplex-networks.tk.

optiplex-networks.tk. IN A 192.168.1.51

www IN CNAME www.optiplex-networks.tk.

mail IN A 192.168.1.51

ftp IN CNAME ftp.optiplex-networks.tk.

optiplex-networks.tk. IN TXT "v=spf1 ip4:192.168.1.51 a mx ~all"

mail IN TXT "v=spf1 a -all"

Now I can resolve http://optiplex-networks.tk and ftp://optiplex-networks.tk internally from the server (well actually over my X11 tunnel) but still at least it's something!

However from my PC when I try to access the URL I can't get to it and my router keeps sending me through the WAN port again?

t814687 Tue, 05/06/2008 - 06:51

In the DNS you have to setup your router as forwarder. But at the same time I have no confidence that your router is working properly.

on your linux do :

nslookup [enter]

server 192.168.1.1 [enter]

www.cisco.com [enter]

IF it resloves properly then work on your linux machine and set the forwarder address there. Otherwise you need to verify with DNS settings on the router.

kayasaman Tue, 05/06/2008 - 18:49

Is this correct? If not and there is a problem with the DNS implementation within the router how can I correct it?

Previously before using Cisco, all I had to do was put in the gateway address 192.... and the DNS would resolve. There is a big difference however between Cisco and consumer based routers and I'm still learning about IOS and networking, including server construction as I go along so any advice or howto's are really apprieciated.

Thanks

t814687 Tue, 05/06/2008 - 19:53

Yes the router forwards DNS properly,

Now you have to configure the forwarder in your DNS using ip address of the router and test it.

Your DNS should be able resolve www.cisco.com to it's public ip.

Once that's done you need to reconfigure the DHCP pool on the router and re-point your clients to your new DNS server.

-serg

kayasaman Tue, 05/06/2008 - 21:15

Ok I just sorted it, I probably have more config in here then I actually need but have a look at this new config file!

Thanks so much for your help I really apprieciate it!

Now off to try to get my VPN tunnel to work :-)

t814687 Wed, 05/07/2008 - 08:57

Your router is a forwarder already. Personally, I see no need for additional config other than changing DNS IP address in the dhcp scope once your linux box can correctly resolve internal and external IPs.

-serg

kayasaman Wed, 05/07/2008 - 10:19

I understand! I mean this was a crash course in DNS for me by building it into the server anyway so I will post on the Debian forum to see if anyone can help me with Bind9 over there, then I will revert back to the original config and see what happens.

Thanks a lot anyway for all your help and advice :-)

kayasaman Wed, 05/07/2008 - 11:42

Serg, if you don't mind I would like to know when the config I have currently in the router would be used?

I am just keen to learn that's all!

Also, I know it's probably not the place here to ask but since you are the "Pro" I was just hoping for some advice; I am very keen on computer networking ever since I finished my degree in electronic engineering 2 years ago and would like to start up a company offering various IT services to businesses. I am currently thinking of taking a Cisco certificate course but haven't got a clue which one to go for.

Since you have a lot of experience in the field I was just hoping that maybe you could either offer me some tips or help me get a direction.

Kaya

t814687 Wed, 05/07/2008 - 13:54

Well, not sure about the question you asking about your router.. The config is pretty standard for VPDN tunnel server. You can do a serach on cisco.com and learn more if you are interested.

As for the courses I would start from basic CCNA course and learn the foundations. That would be my advise. Gat a lab setup, play with gear, have fun ;) good luck.

-serg

kayasaman Thu, 05/08/2008 - 03:45

In terms of the config question about the router I was referring to the DNS forwarding part since you said that I shouldn't have to implement it since the DNS in my server should automatically transfer.

So I was wondering when DNS forwarding like I have done would be used?

As an extra, you said that I have standard config for a vpdn tunnel server but however when I try to access with Cisco VPN client I cannot connect?

Actions

This Discussion