Resolving my domain name in a DMZ
Discussion
Following on my thread about DMZ vs Port forwarding, I have a domain name purchased (my LAN Active Directory on my lab is based on this e.g. global.domainname.com).
I now want to ensure that I can create a site in IIS, set the binding to something like test.domainname.com in a DMZ web server and from outide, this can be reached (having made provisions in the firewall etc). How would I do this? Do my DNS servers on the web server and firewall need to point to the DNS servers of my domain registrar?
Thanks
I now want to ensure that I can create a site in IIS, set the binding to something like test.domainname.com in a DMZ web server and from outide, this can be reached (having made provisions in the firewall etc). How would I do this? Do my DNS servers on the web server and firewall need to point to the DNS servers of my domain registrar?
Thanks
Doesn't matter what dns servers your web server points at, as long as it can resolve external records. You simply need to set an A record for test.domainname.com in your external dons zone once server/fw are configured. If you don't want this to actually be accessible by people outside, set the zone up on your AD domain controller so your clients can resolve it.
Nimby said:
I may be well out of date on this, but I thought you were supposed to name your domain behind the firewall .local, not .com, for exactly this reason.
Microsoft's current best practise is to use a subdomain of your public internet presence.So if you are corp.com on the internet, your AD would be ad.corp.com or something along those lines.
Either way .local is never recommended these days - though Microsoft have painted themselves into a bit of a corner by having their best practice say one thing, and their setup wizards suggest another by default.
rsbmw said:
Doesn't matter what dns servers your web server points at, as long as it can resolve external records. You simply need to set an A record for test.domainname.com in your external dons zone once server/fw are configured. If you don't want this to actually be accessible by people outside, set the zone up on your AD domain controller so your clients can resolve it.
I will try this. I've set port forwarding on my dmz firewall and if I set the DNS servers to the DNS servers in my DMZ, this should work.@Z064life, it sounds as though you are fumbling in the dark a bit here.
You want to a DNS entry for your DMZ (external) IP address set in some external DNS server(s) (usually the servers that host your external DNS).
It is unwise (and not at all recommended) to expose your internal DNS to the outside world.
You need to understand things like DNS cache poisoning and (controlled) recursion amongst other things.
You want to a DNS entry for your DMZ (external) IP address set in some external DNS server(s) (usually the servers that host your external DNS).
It is unwise (and not at all recommended) to expose your internal DNS to the outside world.
You need to understand things like DNS cache poisoning and (controlled) recursion amongst other things.
TonyRPH said:
@Z064life, it sounds as though you are fumbling in the dark a bit here.
You want to a DNS entry for your DMZ (external) IP address set in some external DNS server(s) (usually the servers that host your external DNS).
It is unwise (and not at all recommended) to expose your internal DNS to the outside world.
You need to understand things like DNS cache poisoning and (controlled) recursion amongst other things.
You're right there is a bit of fumbling, but this is a learning curve and a lab scenario so not a big deal.You want to a DNS entry for your DMZ (external) IP address set in some external DNS server(s) (usually the servers that host your external DNS).
It is unwise (and not at all recommended) to expose your internal DNS to the outside world.
You need to understand things like DNS cache poisoning and (controlled) recursion amongst other things.
What you mentioned (second sentence) is exactly what I'm looking to achieve. My internal DNS servers are not being exposed to the DMZ (nor any other servers) and I'll be using VLANs and so forth to keep everything seperate (no route from DMZ to LAN).
Z064life said:
You're right there is a bit of fumbling, but this is a learning curve and a lab scenario so not a big deal.
What you mentioned (second sentence) is exactly what I'm looking to achieve. My internal DNS servers are not being exposed to the DMZ (nor any other servers) and I'll be using VLANs and so forth to keep everything seperate (no route from DMZ to LAN).
As ging84 said - you need an 'A' record for the DMZ IP - IF - you have multiple external IP addresses, otherwise you can't do it like that - well you can but... Then you would use your single external IP and and nat specific ports back to the host on your DMZ.What you mentioned (second sentence) is exactly what I'm looking to achieve. My internal DNS servers are not being exposed to the DMZ (nor any other servers) and I'll be using VLANs and so forth to keep everything seperate (no route from DMZ to LAN).
Also, you would typically still allow LAN <-> DMZ connectivity, but seperated by a firewall (usually all part of your main firewall) which will govern which ports are allowed through.
TonyRPH said:
Z064life said:
You're right there is a bit of fumbling, but this is a learning curve and a lab scenario so not a big deal.
What you mentioned (second sentence) is exactly what I'm looking to achieve. My internal DNS servers are not being exposed to the DMZ (nor any other servers) and I'll be using VLANs and so forth to keep everything seperate (no route from DMZ to LAN).
As ging84 said - you need an 'A' record for the DMZ IP - IF - you have multiple external IP addresses, otherwise you can't do it like that - well you can but... Then you would use your single external IP and and nat specific ports back to the host on your DMZ.What you mentioned (second sentence) is exactly what I'm looking to achieve. My internal DNS servers are not being exposed to the DMZ (nor any other servers) and I'll be using VLANs and so forth to keep everything seperate (no route from DMZ to LAN).
Also, you would typically still allow LAN <-> DMZ connectivity, but seperated by a firewall (usually all part of your main firewall) which will govern which ports are allowed through.
Thanks all!
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff