[RESOLVED] Server DNS help

ixalmida

I have a web server (LAMP - but this is a Win question) behind a Cisco firewall. The server is not DMZ but rather has a private address with the firewall doing some NAT translation. On the insecure side, it is hosting a company video here. I'm still working on the secure side.

My question is about DNS on a Win 2003 domain. I've created a DNS entry in A/D to route internal users to the external web address so that there aren't VPN issues. However, there have been some problems and concerns.

The main issue I've had is a "disappearing" DNS entry (happens whether DNS entry is set to the public or private IP). Sometimes when the DHCP lease renews on a client machine, the DNS entry disappears and internal users can no longer get to the site. Flushing DNS sometimes helps, but sometimes not. Putting an entry in the hosts file fixes it but that's not feasible for 700 users, many of whom are in and out of the office.

I'm kind of stumped and Google hasn't been much help. Any ideas about what I need to do? Have I forgotten something?

Refer to the attached screen shot of the DNS entry.

bradgrafelman

ixalmida wrote:
I've created a DNS entry in A/D to route internal users to the external web address so that there aren't VPN issues.

What "issues" would there be? If they're VPN'd in, shouldn't the internal IP of the webserver work just fine?

Also, how is your domain/forest setup? Can you show us more of the DNS window (e.g. an expanded view of the tree on the left-hand side)?

ixalmida

Thanks for replying!

Okay, so here's the rub...I have a very strained relationship with the domain admin. He doesn't like that I can do his job and he is very territorial. That translates into pulling teeth when I want something done to help with my web servers. He won't even acknowledge that there is a DNS issue, despite the obvious facts.

The issue is that the Sonicwall VPN isn't picking up the DNS entry from A/D. I asked the domain admin to look into it, but he is being obtuse as usual. Obviously, I can't get access to his sacred firewall. So unless the user has an entry in the hosts file, they cannot get to it at all. I figure that if they already have the public address cached, it might just carry through the VPN connection. Maybe I'm misguided on that.

See attachment for the DNS structure. INET is another LAMP server (internal-only) which has worked perfectly for years - until recently when a single DNS issue was reported at a remote office (fixed by flushing DNS). I'm not sure if the problems are related.

bradgrafelman

The SonicWall should provide the address(es) to the internal DNS server(s) for the VPN connection when it hands out a (private) VPN IP to the client, thus routing any requests to internal servers to your internal-facing DNS.

So just to make sure I'm understanding you, the internal server has the same name as the A record you're trying to force (e.g. "icare") and is thus overwriting the DNS A entry that you create whenever the DHCP lease is renewed?

Does this server have a DHCP reservation or is it just pulling a dynamic internal IP from the scope's address pool?

ixalmida

The servername is "icare", but I'm using a static IP that the domain admin gave me (192.168.10.2). It is outside of the DHCP range (21-199). All packets on the public IP are supposedly forwarded to the private IP.

I think we may be heading towards the answer though. I believe that while a Cisco firewall performs NAT, a Sonicwall handles VPN. I'm not sure where the Sonicwall gets DNS from, but apparently it isn't A/D.

bradgrafelman

ixalmida wrote:
I'm not sure where the Sonicwall gets DNS from, but apparently it isn't A/D

No, it's probably a hard-coded value (or a lack of one) in the SonicWall config (I have a Cisco ASA firewall handling VPN, and I don't recall it having any automagic AD-integration either - I manually fed it the correct addresses).

I've never liked using static IP's, I've always preferred using a DHCP reservation. That way, you can control all of the TCP/IP, DHCP, etc. options via parameters on the reservation at the DHCP server - gives you a central point of management, you could say.

Anyway, it sounds like the server is forcing the DNS record to be what it thinks the correct value should be. You can try stopping that behavior by disabling DNS registration.

If you go to the properties of the NIC on the server in question, click the "Advanced" button to bring up the "Advanced TCP/IP Settings" window. Click on the DNS tab, and at the very bottom you should see two checkboxes, with the top one most likely checked. If you uncheck this checkbox, "Register this connection's addresses in DNS," you should prevent the server from overwriting those DNS A records you're manually inserting.

Again, the above could've been handled via a configuration parameter on a DHCP reservation, but hey, maybe I just like DHCP servers too much. :p

ixalmida

I'm not seeing that setting. Can you translate it into Yast? See the screen shots.

bradgrafelman

Never used Yast; perhaps something to do with the "Modify DNS configuration" section in the second screenshot?

ixalmida

Haven't had a problem with this since the server went public, so I'm marking it resolved.