DNS Route Public IP To Private IP?

I have a public IP, say, 123.45.67.89 And a private network of 192.168.1.0/24

When I am anywhere outside the private network, I can connect to the public IP. When I am inside the private network, I cannot communicate with the public IP (HTTP/IMAP/etc).

I am told that my DNS should resolve to the private IP from the public IP when inside the network.

Is this true, and how would I go about doing this? On server 2003 (the DNS server) I setup a reverse lookup of 123.45.67.0 and created a pointer of 123.45.67.89 to my private hostname. After an ipconfig /flushdns on a client, this doesn't appear to be working.

gpresland

Posted 2011-08-24T15:06:14.053

Reputation: 480

Answers

The solution was to use a hostname instead of the public IP. The hostname used for the public IP was the one assigned by the ISP. From there, I added an entry in the DNS to forward traffic to the hostname to the private IP. On the outside of the network the hostname will obviously resolve to the public IP. I was told that the reason this wasn't an issue before with the Linksys router was because Linksys has weaker security and the NAT engine allowed it. The Cisco router will not allow it due to security. It is not possible to connect to the router's public IP when behind it on a private IP.

gpresland

Posted 2011-08-24T15:06:14.053

Reputation: 480

DNS does not route anything – it only resolves names.

The function you are looking for is Split-horizon DNS. You can set up your DNS server to resolve the same name to different addresses, depending on where the request comes from. For example:

192.168.0.1 → dnsserver:  query  'mail.example.com.' A
dnsserver → 192.168.0.1:  answer 'mail.example.com.' A 192.168.1.42

45.67.89.0 → dnsserver:   query  'mail.example.com.' A
dnsserver → 45.67.89.0:   answer 'mail.example.com.' A 123.456.78.9

For Windows Server 2003, you'll probaly need a second DNS server. See these two pages for more information.

user1686

Posted 2011-08-24T15:06:14.053

Reputation: 283 655

I'm quite sure this is way outside what is necessary as I said in a comment above, a simply Linsys router had everything working fine. Once it was replace with an industry grade Cisco router it no longer worked. Although this may work, I do not have a second DNS server. – gpresland – 2011-08-24T16:32:59.763

You are wrong to be quite sure. (If you knew the right answer, you wouldn't be here asking the question, would you?) This is what is necessary. grawity is right. MaQleod has said the same thing. I say the same thing. Heck, you've told us in that self-same comment that your own network administrators have said the same thing to you. Set up the split-horizon DNS service. Your network administrators aren't providing hairpin NAT any more, and have told you to set your DNS servers to provide split-horizon service instead. So do that! – JdeBP – 2011-08-24T21:25:55.923

The problem you are getting is that the router does not have NAT traversal enabled. If you want to connect to your server from inside the network you will need to enable NAT traversal (if it is an option) or you will need to use the private IP. You should also be able to use an internal DNS option where an internal domain name points to that private IP.
Configuring a public DNS record to point to a private IP or hostname will not work.

MaQleod

Posted 2011-08-24T15:06:14.053

Reputation: 12 560

Using the private IP/domain name is not an option. For example, my cell phone pulls emails from our server via the public IP, works fine. When I enter the building and connect to the building's wireless I get a private IP and can no longer retrieve email from the server's public IP. In terms of NAT traversal, I am not sure. Everything worked fine before on a Linksys, but a company has installed a Cisco router and now the public IP inside no longer works and they have told me to configure my DNS to resolve the public IP to the private IP of our server. The DNS server is on Server 2003. – gpresland – 2011-08-24T15:34:48.530

1I think asking the folks that installed and may manage the Cisco hardware would be a good start. As @MaQleod says, there is a config change needed to achieve your goal. However, the Cisco may have been configured this way intentionally to address a security issue. – Dave M – 2011-08-24T16:06:17.347

I have contacted them and their response was to set it up on my DNS server, which to me sounds incorrect. Provided you are using a third party DNS server it would also not work - something that wasn't the case with the Linksys router. – gpresland – 2011-08-24T16:19:07.693

The irony, Dave M, is that the network administrators themselves probably asked the "How do I do hairpin NAT with Cisco kit?" question somewhere such as ServerFault, and got the answer that's all over the WWW: "I don't know myself. Just use split-horizon DNS instead."

– JdeBP – 2011-08-24T22:00:51.497

This is how I did. My problem was I could not connect my iPhone to my internal mail server on the Wifi connection but it was connecting alright without any problme externally or on the mobile internet.

Actually the problem was that my firewall (Cisco) is not routing mail server public IP internally. The only option to achieve this was to resolve our public mail domain, e.g. mail.myserver.co.uk, to a local (private) IP instead of public IP. We are not touching external DNS entries and neither we can.

Here is what you need to do (on a Windows environment):

On your DNS server, right click Forward Lookup Zone and select New Zone. With all default settings, enter the zone name as your DNS name of your server excluding the last domain, e.g. for mail.myserver.com you would enter myserver.com or for sales.myoffice.com, enter myoffice.com.
Inside this zone create an AA host entry, i.e. mail and IP should be your private IP, e.g. 192.168.1.10 etc.
This is it. Now you have to make sure your device/iPhone has a DNS name instead of a public IP, e.g. mail.myserver.co.uk etc.

Faisal Khan

Posted 2011-08-24T15:06:14.053

Reputation: 1