[ previous ] [ next ] [ threads ]
 From:  Melvin Backus <melvin at sleepydragon dot net>
 To:  "James W. McKeand" <james at mckeand dot biz>, "'Mike Razavi'" <mike at havepc dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Sat, 15 Jan 2005 10:05:45 -0500
I believe you may want to setup what is called split-brain DNS.  I've never 
done it, but you may want to do a quick search in the MSKB to see what you 
can find on it.


At 09:51 AM 1/15/2005, James W. McKeand wrote:
>Mike Wrote:
>Currently my Forward Lookup Zones for my public domain names are
>pointing to my public IP address with the A Records! Is this where I
>am wrong? But from outside all my domain names are accessible! Note
>that I am also DNS servers for these domain names which means my
>public ip address is set as their DNS1 and DNS2.
>James Replied:
>Lets make sure I understand the scenario: SBS DNS is the Authoritative
>DNS for DomainA.com (and others). Therefore, any records for these
>zones must have Public IPs. Because of the structure of your network,
>your client machines use the same DNS for the AD and Internet name
>resolution. When an Internet client tries to go to www.DomainA.com,
>the name resolves to a Public IP (no problem). When a local client
>queries the local DNS it gets a Public IP and you cannot get there
>from here...
>Two solutions come to mind. The first is only good if you have a few
>machines - put the private IP addresses in local clients' HOSTS files.
>But this gets ugly if you have more that a couple of machines...
>The other solution is to move the Authoritative DNS (Public IPs) for
>public domains to a separate DNS. And use the SBS's DNS for local
>resolution. You will still have zones for the domains you host on the
>SBS, but they will be non-authoritative and have Private IPs. Your
>local clients will resolve www.DomainA.com to a private IP. And
>Internet clients will resolve www.DomainA.com to a public IP.
>Using the m0n0wall forwarder will not help your situation. It
>functions the same way as placing a dummy zone on your DNS using
>private IPs. Being the Authoritative DNS for the domains is what is
>throwing a wrench into the works.
>Hope this helps...
>James W. McKeand
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Whom computers would destroy, they must first drive mad.

Melvin Backus
Principal Wizard
Sleepy Dragon Enterprises