Hello,
A small company named COMPANYNAME has a website called COMPANYNAME.ru hosted by a well-known hosting service.
There are only a few computers on the network that belong to a single working group with links registered using IP address books. The DNS is currently configured for 8.8.8.8, but an internal domain named COMPANYNAME.ru has been created with the domain controller serving as the DNS server, set as the main DNS server on all computers.
However, this leads to accessing external sites leading to the same server. If 8.8.8.8 is set as the first DNS server and the internal DNS server as the second, then problems will arise with the domain. Can you suggest better ways to organize the DNS structure?
Essentially, the text suggests using .loc for local certificates and distributing them through the Microsoft Active Directory Certification Authority.
External clients should not be allowed in as a self-signed certificate will not be trusted, and getting one signed by a trusted root certificate authority costs money. Thus, it is best to stick with a self-signed root and it doesn't matter what the domain is called.
The text also mentions "internal browsing" and "external browsing" which can allow access to both local network clients and external employees. Overall, the author recommends using a local domain name rather than a registered domain name.
My suggestion would be to update the internal domain to COMPANYNAME.lan. This would simplify things as the office and site are separate.
There's no need for a public domain controller, instead consider using it as a DNS server for the site.
One way to simplify domain renaming is to create a subdomain called office.companyname.com. By using the "Host:" field in the proxy, you can direct requests to the internal web server running on a nearby port.
This approach is more straightforward than changing the domain name altogether.
The issue you are describing arises from the fact that your internal server is set to resolve both external and internal DNS queries, leading to conflicts. This internal server may not be configured correctly to relay queries for external domains to the correct servers (like 8.8.8.8).
One common solution for this scenario is to use the Split DNS system. The split DNS infrastructure allows you to have an internal Domain Name System (DNS) and an external DNS that utilizes the same namespace. This way, you have two DNS servers that manage the same domain but contain different data.
Here's how you can set it up:
1. For the internal DNS server: Configure your internal DNS server to resolve queries for the internal resources only. By doing this, your internal DNS server will not resolve queries for external domains. All computers in your network should be pointed primarily at this internal DNS server.
2. For the external DNS server: Use public DNS servers (e.g., 8.8.8.8 offered by Google, or other services from Cloudflare, OpenDNS, etc.) as your secondary DNS servers. These DNS servers must be configured to provide DNS services to the outside world by resolving public queries only for your publically accessible servers.
3. Set a Forwarder: On the internal DNS server, configure a forwarder to the external DNS server (8.8.8.8). This means if the internal DNS server cannot resolve a DNS query (usually for an external domain), it will forward the query to the DNS server you specified (8.8.8.8 in this case).
This way, when internal network hosts try to access external domains, the internal DNS server forwards the query to the external DNS server only when the domain cannot be resolved internally. This maintains the isolation of your internal network and prevents DNS leakage while also allowing for external visibility when necessary.
I can provide a more detailed breakdown:
Setting up internal DNS server: You need to set up your internal DNS server to handle all DNS queries from your internal network. This server will contain DNS records for all the internal resources related to COMPANYNAME.ru. For instance, server1.COMPANYNAME.ru, workerstation1.COMPANYNAME.ru, etc. The DNS suffix for all internal network devices should be COMPANYNAME.ru.
Use Split Horizon DNS: This technique will allow your primary internal DNS server to respond based on the source of the request. The same server can respond differently if the request came from inside your network and outside of it. This is vital to preserve the security of your internal resources while still fulfilling the need to serve DNS records externally.
Setting up DNS Forwarding: On your internal DNS server, you need to configure DNS forwarding. This means whenever your server doesn't have an answer for a particular query (usually those aimed at the internet), it will 'forward' that query to a server that knows, ie., 8.8.8.8 (Google's DNS). Forwarding can typically be set up in the DNS server's settings. This way, we ensure that only queries related to the internet get forwarded to the internet.
Configuring network computers: All the computers in your network should have their primary DNS server set as your internal DNS server. This goes for all devices, not just computers. Anything that connects to your network and needs to resolve DNS should use this server.
Public DNS records: Any public records, such as a record to your website's IP, should be managed by your hosting service or domain service provider. For instance, you would have www.COMPANYNAME.ru with a record in your domain service provider's DNS servers pointing to the IP of your website.
By using such a setup, you can ensure the querying device always gets the DNS record it requires while preserving your internal network's security. Be aware that proper configuration and testing are crucial, as incorrect DNS settings can lead to many different problems, including connectivity issues, slow network performance, and potential security vulnerabilities.
let's dive even deeper:
Internal DNS Server Settings:
On your Domain Controller (where the internal DNS server likely is), you'd have an active zone for COMPANYNAME.ru, and all the resource records for the local domain resources are configured here. For devices connected to your network, their hostnames along with the respective IP addresses should be registered in this active zone.
DNS Forwarding:
In the settings of your internal DNS server, there is an option for configuring Forwarders. Any DNS request that comes through the internal DNS server and can't be resolved with its resource records will be forwarded to this Forwarder. So, you need to set up Google's DNS servers (8.8.8.8 and 8.8.4.4) or any external DNS service you trust as Forwarders. This ensures that internal network clients can still access the rest of the internet.
Deploy the settings on Network Clients:
Once you set up your internal DNS server and configure DNS Forwarding, you will need to set up your network clients (PCs, laptops, etc.). In the network settings, you will set your preferred DNS server to the IP address of your internal DNS server. This way, any local request will be dealt with within your network, and anything else will be forwarded appropriately.
Dealing with External DNS Requests:
By setting your DNS forwarder to Google's DNS servers, all unresolved requests by your internal DNS will be forwarded appropriately. This means any request that does not match your internal resource records for 'COMPANYNAME.ru' will go to the internet. This setup ensures the rest of the internet and your WWW 'COMPANYNAME.ru' are accessible, while keeping your internal resources secured.
Public DNS Records:
However, your internal server should not be answering external queries. These should be handled by the DNS servers specified by your domain registrar where you bought 'COMPANYNAME.ru', likely the same one providing your external web hosting. These external servers would have a variety of records, such as A records pointing 'www.COMPANYNAME.ru' to the public IP of your web server.
Overall, the goal is to keep internal traffic, queries, and answers internal while still allowing your network users to access the global internet. Note that when you implement these changes, you want to ensure you're dоcumenting everything and do a wide range of tests to ensure everything works correctly as DNS issues can be hard to troubleshoot if not properly set up and because they can have a wide range of impacts.