[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Thu, 13 Jan 2005 10:16:10 -0500
JSimoneau at lmtcs dot com wrote:
> Mike,
> 
> I guess I don't fully understand where you are at this point, so
I'll
> just ramble off some things and hope you find something useful.
> 
> Computers on your LAN should be using a local (on the lan) DNS
server
> for name resolution. This should be a DNS server which only serves
> requests for systems on the private LAN network, and not outside of
> that. Lets take this example:
> 
> Your monowall has IP 64.100.71.50 and is NAT'ing port 80 to your
> webserver, which has private IP address 192.168.1.5. The domain
being
> hosted is www.superdomain.com.
> 
> To PCs on the internet, if they try to resolve www.superdomain.com
it
> will resolve to 64.100.71.50, their http request will go to your
> monowall and be forwarded to your web server by NAT. Good.
> 
> Now, if the PCs on your LAN try to resolve www.superdomain.com and
get
> 64.100.71.50, if they try to go to that they will have problems.
This
> is because, to the LAN systems, the webserver isnt at 64.100.71.50,
> it's at 192.168.1.5. This is why you need a dedicated DNS server on
> your LAN to serve requests on the LAN, because it needs to resolve
> things to the local private IP address.
> 
> This is what the DNS forwarder in m0n0wall does.
> 
> First make sure PCs on the lan are set to use the monowalls PRIVATE
> (192.168.1.1 or whatever) IP address as their dns server.
> 
> Make sure you have DNS servers listed in the General Setup tab of
your
> monowall, or that m0n0wall gets DNS servers from your ISP's DHCP.
> 
> Now, on the DNS forwarder tab, make sure the dns forwarder is
> enabled, and add a new entry. For my example I would fill in:
> 
> Host: www
> Domain: superdomain.com
> IP Address: 192.168.1.5
> Description: My super web server
> 
> Now www.superdomain.com will resolve teo 192.168.1.5 as long as I am
> using m0n0wall for my DNS server.
> 
> This should do it.
> 
>  - Josh

The only difficulty will be if the local network is a Microsoft Active
Directory Domain. The local DNS will be needed to resolve more than
just names. Location of Domain Controllers for example. 

So, assuming a Microsoft AD environment with a domain name like
superdomain.local (we all know you should use a non-realworld
domain...) You would add a stub domain in the "Forward Lookup Zone"
for superdomain.com. You would then add host records using local IPs
(192.168.1.x) you can also add records using real IPs if you have any
resources off your net (second web server -
something.superdomain.com). Your client machines will still use the
internal DNS, not the m0n0wall forwarder.

_________________________________
James W. McKeand