1

I don't know the right term for this concept. But basically, I just want to reroute internal traffic to go directly to a server within the network instead of going around the internet. The domain have to be the same.

Example:

- (for internal users) site.domain.com --> 10.0.0.1
- (for external users) site.domain.com --> 111.222.111.12

These are the constraints I have:

  • the domain needs to be the same.
  • the system is not configurable to work with more than 1 domain.
  • we're on a microsoft network.

I saw this post recently, but it's old. There's probably a solution for this now.

Resolve the same DNS name to different IPs depending on client IP network

I would appreciate any advice.

Thank you!

Community
  • 1
Ianthe the Duke of Nukem
  • 434
  • 3
  • 8
  • 21

5 Answers5

5

You need to use a "Split DNS" setup. Essentially, you have one one DNS server for external requests/users and one DNS server for internal use. The external DNS server points things to your public facing IP's, and the internal DNS can use your private IP range.

How exactly you accomplish this will depend on exactly what you're doing, though.

Here is a nice, though dated primer on the idea:

http://www.isaserver.org/tutorials/you_need_to_create_a_split_dns.html

Dan
  • 15,280
  • 1
  • 35
  • 67
1

I just want to reroute internal traffic to go directly to a server within the network instead of going around the internet. I'll show you both options LAN traffic and WAN traffic.

===========================================================================

#1 - HARD Firewall you need to open Port 53 UDP and (TCP if needed).

Thus,(for external users) site.domain.com --> 111.222.111.12 must be set to static DNS on each OUTSIDE PUBLIC laptop, Phone, Desktop or whatever. Godaddy A records updated with Public Host or IP.

I would assume you are filtering all traffic from ONE BOX. With MS Servers I use SimpleDNS installed on it. Your HOST NAME can easily be pointed to a Static or Dynamic Ip. You can use a Host name or IP. In this example it will be IP because resolving host names static is no problem, but dynamic Ips you need what's called TTL a low number. KISS lets keep this simple. Simple DNS does this all anyway. I don't use A records with Microsoft but you can point to a local ip using DNS.

===============================================================

Make sure the IP of the DNS box is A Private Ip

192.168.1.200 = IP of this DNS server

255.255.255.0

192.168.1.1 = firewall ip

192.168.1.200 = DNS after SimpleDNS Installed and activated 192.168.1.1 = before you install simpleDNS otherwise no internet access.

==============================================

Remember, you told your plastic or metal firewall to open or FORWARD this local IP 192.168.1.200 on Port 53 UDP and TCP. Thus any request for ANY website(s) will first pass from the public outside into your private box 192.168.1.200. I promise you will get some nasty people trying to steal your stuff...lots of them lots of bad people. If you are a newbie STOP and pay someone professional or your trade secrets will be out on the net or in a lawyers office. This is probably the most important setup of security period. Remember PORT 53 is open for all to view and WON'T CLOSE unlike other temp random ports. Yes recursion fixes this but again .....

Got that? Now your Public IP 111.222.111.12 will forward all DNS port 53 requests to this specific Machine in your office 192.168.1.200 when you are out of your local IP. When you are Locally plugged in its dns 192.168.1.200 as dns 1

All outside roadies should add TCP/IPV4 USE THE FOLLOWING DNS SERVER ADDRESSES: DNS 1: 111.222.111.12

All your indoor Employees (use admin permissions to prevent bypass of DNS) USE THE FOLLOWING DNS SERVER ADDRESSES: DNS 1: 192.168.1.200

again, THAT 111.222.111.12 public ip traffic will go into your office ONLY to this machine 192.168.1.200 not any other machine.

The last thing you want is one of your OUTSIDE employees using your laptops for porn or other things. Now you can stop this without a VPN and prevent $5 dollar foot long headaches :)

Confused ? this is a very hard topic to understand for some but legal requirement for some companies. For only LAN Traffic the above will be fine. For the road warriors you want to filter everything if W2. Deny everything but these approved websites. If 1099, then it's there own dam machine. Hope this added basic steps helps someone else looking for even more.

Mike Caldera
  • 151
  • 1
  • 3
  • 1
    A very good answer, but I would encourage you to focus on questions that are more recent. This one is nearly 4 years old and I'm pretty sure the original poster has moved on in one fashion or another from this problem. – Magellan Jan 06 '16 at 05:44
  • 1
    Also, take your time to learn the [formatting](http://serverfault.com/help/formatting) on here. As currently written, it's a bit hard to be read due to too many emphasizes and capital letters. – Andrew T. Jan 06 '16 at 06:09
  • 1
    Thanks for the input. I will try to be more conscious about year posted. At least google will pick this up and I promise this answer will help someone other than the original poster as intended. – Mike Caldera Jan 07 '16 at 16:20
0

Yes, the link you provided is a good one. It is called views in bind DNS server. It seems not possible using Microsoft DNS server.

In bind, the same zone is defined twice: one with public IPs and another with private IPs. The DNS server is then configured to use each one based on the clients source IPs.

Khaled
  • 35,688
  • 8
  • 69
  • 98
0

You need your internal DNS server. Though, since your DNS handled by 3-rd party, you don't really need your internal server to support views. Install any server like BIND or SimpleDNS Plus, or use Microsoft one (I'm not into windows, don't know how it works). Create zone for domain.com using you internal addresses, and allow it to be recursive server for all other domains.

Then you will have to point all your PCs to use this new server as their only DNS server, either using DHCP, via your router settings or with manual configuration on each PC.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
0

For internal users, set them all to use your local DNS server. This option can be set in DHCP. Make sure the local DNS server has an A record for the internal IP of your server hosting the website, and not the public one.

Your domain name is managed by some registar. If it's someone like GoDaddy/Verio/NetworkSolutions, then they have their own name servers. Do a WHOIS lookup on your site and it should list the name servers. If you haven't changed them, then they are managed by your domain registar. From your domain registar's config page, you should have an option to manage DNS records. This is the public authoritative DNS server for your domain. Enter the public IP of your site here.

External users, assuming they are outside of your subnet, will end up querying the authoritative name server since their local DNS server wherever it is they are working at won't know the IP of your website. They will then be given the public IP.

When internal users try to access the site, they query the local DNS server first. Since it has an A record for the site, that will be given back so they will not be going over the internet.

A third option is to create a NAT loopback rule on your firewall. For Sonicwall's, it would go something like this:

For all traffic originating from a firewalled subnet that is trying to access the public IP of the website, reroute traffic to the internal IP of the website instead.

Bill Sambrone
  • 335
  • 2
  • 11