external and internal dns servers

[LuckyTaxi]

At the moment we're stuck with the dreadful PPTP connection.
We've been using HOSTS file for over 4 yrs now. I'm tired of it and my first
task when I joined was installing a DNS server. It's been running fine but
the binding order isn't correct. Then again, the domain we use both servers our
internal and external use. When I VPN into corporate, I can't resolve our internal
servers. Our domain is registered through register.com (f'n hate them) and they also
serve our DNS info.

Silly question but I created an A record on register.com that points one of our internal server to 192.168.10.100 which points to the internal IP of the server. Please note, the server is not accessible from outside. Is it a good idea to do this? I dont want someone just pinging things randomly and seeing our internal IPs.

 

[mxnerd]

Originally posted by: LuckyTaxi
At the moment we're stuck with the dreadful PPTP connection.
We've been using HOSTS file for over 4 yrs now. I'm tired of it and my first
task when I joined was installing a DNS server. It's been running fine but
the binding order isn't correct. Then again, the domain we use both servers our
internal and external use. When I VPN into corporate, I can't resolve our internal
servers. Our domain is registered through register.com (f'n hate them) and they also
serve our DNS info.

Silly question but I created an A record on register.com that points one of our internal server to 192.168.10.100 which points to the internal IP of the server. Please note, the server is not accessible from outside. Is it a good idea to do this? I dont want someone just pinging things randomly and seeing our internal IPs.

You can't point an outside DNS record pointing to an internal network, register.com or any ISP has no idea of your internal network.

I don't know if it's correct, but I configured it this way when I use PPTP.

for Client PTPT setup, Click on Properties, Networking, TCP/IP, use the following the following DNS addresses, then enter the address of your internal DNS server there, if your internal DNS server does forward it's DNS query to other external DNS server, you should be able to resolve internal and external DNS query.

And if you want to continue browsing using your own ISP, but not company's network, you should tick off the "use default gateway on remote network" option in Advanced TCP/IP Settings

 

[LuckyTaxi]

I did it and it works just fine but I'm a little reluctant to put our internal IP scheme for the whole world to see. I created an A record on register.com for server.domain.com -> 192.168.10.100 and i was able to connect using PPTP (obviously this won't work if I'm not connected to my VPN).

Our DHCP dishes out the DNS info just fine, it's just that the binding order is all messed up. It picks up my LAN's DNS, which resolves externally anyways.

Speaking of which, so what's the "use default gateway on remote network" option do? It seems people are hit and miss with it. Some users can connect to our shares on the LAN just fine while others need to uncheck this particular box in order to connect. Who knows but I need a better VPN solution.

 

[mxnerd]

Originally posted by: LuckyTaxi
I did it and it works just fine but I'm a little reluctant to put our internal IP scheme for the whole world to see. I created an A record on register.com for server.domain.com -> 192.168.10.100 and i was able to connect using PPTP (obviously this won't work if I'm not connected to my VPN).

Our DHCP dishes out the DNS info just fine, it's just that the binding order is all messed up. It picks up my LAN's DNS, which resolves externally anyways.

Speaking of which, so what's the "use default gateway on remote network" option do? It seems people are hit and miss with it. Some users can connect to our shares on the LAN just fine while others need to uncheck this particular box in order to connect. Who knows but I need a better VPN solution.

Yeah, I don't recommend register your internal machines's IP address at register.com, and you are right, it should only work when you are using VPN.

with use default gateway on remote network checked, all traffic (VPN and your internet browsing) go through company's gateway router

with use default gateway on remote network unchecked, only VPN traffic go through company network, not your internet browsing.

and what do you mean binding order is messed up?

I need a better VPN solution too, IPSEC is just too hard for me, so I'm experimenting OpenVPN. But not there yet.

 

[LuckyTaxi]

and what do you mean binding order is messed up?

I need a better VPN solution too, IPSEC is just too hard for me, so I'm experimenting OpenVPN. But not there yet.

when you try to resolve domains name it uses your LAN's DNS

 

[mxnerd]

You should use internal DNS for internal DNS query, and use register.com for external query, delete all 192.168.*.* DNS entries you recorded at register.com

register.com should only have records of your servers' internet IP addresses. so when anyone on the internet querying your server name, they won't get an answer that's in the 192.168.x.x range and could not resolve it.

DNS servers priority for internal PC DNS query

ns.yourdomain.local
ns1.register.com
ns2.register.com

where ns.yourdomain.local (your internal DNS server) should record internal servers & workstations IP addresses like

srv1.yourdomain.local - srvn.yourdomain.local
pc1.yourdomain.local - pcn.yourdomain.local

But it seems your are using same name for internal and external DNS query, then I believe you need something called split DNS.

Google "split DNS" and you will find quite a few articles. Personally I highly againt the idea using same FQDN for internal and external usage.

*EDIT*
Sorry, split DNS is for recording internal IP and external IP for the same machine in the same DNS server. If you keep internal IP in internal DNS server, and external IP on register.com, I think you don't need split DNS.

I'm no DNS expert, other people in this forum can provide better answer.

 

[netsysadmin]

LuckyTaxi...are you doing VPN via a Windows Server?

John

 

[RebateMonger]

I've never had any real problems with Windows PPTP VPN (on Server 2003, anyway). If you follow this Miicrosoft white paper to the letter, DHCP and DNS should work perfectly on your VPN clients.

With a Wnidows PPTP VPN and proper setup of DHCP and DNS services, all the DNS stuff should be taken care of automatically.

As noted by others, you don't put your internal DNS records on the Internet. Public DNS servers for your Domain should only contain your public IP information.

ALL PCs and servers inside your Domain should use ONLY your internal DNS server(s) for ALL name resolution. Even your DNS server(s) point to themselves for DNS informaiton. there should be no reference on any computer to a public DNS server.

If a request for external DNS information is encountered, your internal DNS server has a forwarder pointing to a suitable external DNS server. Alternatively, your internal DNS server uses Root Servers to handle external DNS searches.

(Note: If your internal Domain name has the SAME name as your public Domain name, you'll likely need some special settings.)

 

[LuckyTaxi]

thx guys, yes i removed referencs to my internal IPs on register, I was only doing it to test.

we've been using HOSTS file for over 4 yrs now, so if I can't figure this out, we're still going to resort to them for those who connect via VPN.
Our internal users are fine, no issues whatsoever. When I connect via PPTP, my request is queried and hits register.com. It can't find subdomain.domain.com
because the subdomain is for internal use.

 

[netsysadmin]

Like everyone said above this issue has nothing to do with your registered internet addresses. While setting up RRAS on the Windows server you can specify where the DNS\WINS get pulled from. Most times you would just tell it to pull the DNS\WINS addresses from your internal nic on the server. Then when people VPN in they get your internal DNS\WINS servers and can resolve all your internal machines.

John

 

[LuckyTaxi]

Originally posted by: netsysadmin
Like everyone said above this issue has nothing to do with your registered internet addresses. While setting up RRAS on the Windows server you can specify where the DNS\WINS get pulled from. Most times you would just tell it to pull the DNS\WINS addresses from your internal nic on the server. Then when people VPN in they get your internal DNS\WINS servers and can resolve all your internal machines.

John

Everyone is missing the point. I understand how DNS works, but I think my main issue is that we're using our domain for internal and external use. My issue is w/ the binding order of our PPTP connection. A quick search on Google shows that many other folks are experiencing the same issue.

I think everyone agrees that we shouldn't mix domains for internal and external use.

 

[mxnerd]

If you really know how DNS works, you shouldn't have use hosts file for 4 years , recorded internal IP addresses at register.com and blame them

DNS is really huge topic.

 

[netsysadmin]

First off what OS is on this VPN server...I am guessing Server 2003? Second would be are you using two NIC's?


John

 

[LuckyTaxi]

Originally posted by: mxnerd
If you really know how DNS works, you shouldn't have use hosts file for 4 years , recorded internal IP addresses at register.com and blame them

DNS is really huge topic.

haha ... i know i know but i started in October. the old sysadmin had no idea what a DNS server is (we still use HUBs) and we've been using HOST files every since! i implemented a primary and secondary server but we can't tell ppl about them since most of our users work from home so they'll be screwed since the domains can't resolve properly!

Yes, it's running WIndows 2003 and I think there's only one NIC.

 

[netsysadmin]

Find out how many NIC's you are using. Also, are you handing out the VPN IP's via DCHP?

John

 

[LuckyTaxi]

Originally posted by: netsysadmin
Find out how many NIC's you are using. Also, are you handing out the VPN IP's via DCHP?

John

i believe it's ONE (i was able to RDP into the box) and the VPN IPs are dished out automatically via a range set in the PPTP settings.

 

[netsysadmin]

I don't remember the exact settings in RRAS, but you just need to specify that the DNS and WINS settings are taken from the NIC. That NIC should be pointed to your AD DNS and WINS servers. That will provide your VPN hosts with your internal DNS and WINS servers.

John

 

[LuckyTaxi]

Originally posted by: netsysadmin
I don't remember the exact settings in RRAS, but you just need to specify that the DNS and WINS settings are taken from the NIC. That NIC should be pointed to your AD DNS and WINS servers. That will provide your VPN hosts with your internal DNS and WINS servers.

John

When I make a connection to my remote PPTP site, I have "two connections." One for my local LAN, which has either my ISP's DNS or opendns' info hard-coded into my router. Then I have a PPTP connection which has my IP assigned by the PPTP and the internal DNS you speak of. Am I missing something?

 

[netsysadmin]

I was referring to the settings on the server and not the client. So when you connect from a client machine to the VPN and do a ipconfig /all you see your internal DNS server listed on the PPTP connection? If so how are you trying to get to your network shares? Do you try to get to them via a FQDN? Remove the host file and do some testing by pinging the different servers by there FQDN and see what you get.

John

 

[LuckyTaxi]

Originally posted by: netsysadmin
I was referring to the settings on the server and not the client. So when you connect from a client machine to the VPN and do a ipconfig /all you see your internal DNS server listed on the PPTP connection? If so how are you trying to get to your network shares? Do you try to get to them via a FQDN? Remove the host file and do some testing by pinging the different servers by there FQDN and see what you get.

John

Correct, I dont use HOST file btw but i am unable to ping w/ the FQDN.