Topic: DNS settings

[JK]

Hi,

Our SME server is the DNS server for our local network. The network has 2 connections to the outside: one is a standard ADSL internet connection, and the other is a link to another network with the servers hosting our Sharepoint and email servers.

This is what we need:
- all hostnames ending with "domainx.com" to be resolved using DNS servers 172.29.0.34 and 172.29.0.35
- hostnames ending with "domainy.com" to be resolved locally
- everything else (ie. the internet) to be resolved as normal

I have set 172.29.0.34 and 172.29.0.35 as the SME corporate servers, and added "domainx.com" to the SME list of domains, setting it up to be resolved by the corporate servers.

Unfortunately it now appears SME is trying to resolve all queries using the corporate servers. How can I fix it such that "domainx.com" is resolved with the corporate servers, but everything else uses the internet DNS?

[cactus]

Hi,

Our SME server is the DNS server for our local network. The network has 2 connections to the outside: one is a standard ADSL internet connection, and the other is a link to another network with the servers hosting our Sharepoint and email servers.

This is not a default setup as SME Server by default only has one outside interface... on this interface it can connect to multiple networks off course. I might be wrong but I interpret the two connections like you have two external interfaces.

About name resolution: AFAIK you can determine the resolution for every network individually. So if you have created two doamins you should have configured them per server-manager. There you should also have set the DNS server for the domain.

If you have defined local networks like I guess you did, then they are local networks as the name already says and hence they are resolved locally.

Once again this is all based on assumption as I have a hard time understanding how you configured your domains/networks as well as the network layout not being clear to me.

[JK]

Apologies for the lack of clarity

Perhaps this diagram is more helpful:


SME Server --- LAN ---------+------ ADSL connection
                |           |
office PCs -----+           +------ router --- separate LAN -- corporate DNS servers


All the PCs in the office are using SME as their DNS server.

SME needs to resolve domainy.com locally, use the "corporate" DNS servers for domainx.com, and use internet DNS for everything else.

[cactus]

Apologies for the lack of clarity

Perhaps this diagram is more helpful:


SME Server --- LAN ---------+------ ADSL connection
                |           |
office PCs -----+           +------ router --- separate LAN -- corporate DNS servers


All the PCs in the office are using SME as their DNS server.

SME needs to resolve domainy.com locally, use the "corporate" DNS servers for domainx.com, and use internet DNS for everything else.

Are you sure that is the way you have actually engineered your network? To me this seems rather unsafe, as it looks like you have the LAN segment directly connected to the ADSL line hence the internet, without any protections.

I would suggest you build it like this (with SME Server in server-gateway mode):

Code: [Select]

LAN1 (Office PC's) --- SME Server --- ADSL Connection --- Router --- LAN2 (Corporate, including corporate DNS)
(domainy)                                                               (domainx/172.29.0)


[JK]

I appreciate your comments, but it's not helping me with the specific problem. My diagram was a simplified one, we do have firewalls and routers in place. The problem is purely a matter of DNS.

As far as I can tell, to get what I want, I need to remove the corporate DNS servers from SME manager, and then create a file /service/dnscache.forwarder/root/servers/domainx.com with the contents 172.29.0.34 and 172.29.0.35 on separate lines.

There doesn't seem to be any way to achieve this from the web interface.

[cactus]

I appreciate your comments, but it's not helping me with the specific problem. My diagram was a simplified one, we do have firewalls and routers in place. The problem is purely a matter of DNS.

As far as I can tell, to get what I want, I need to remove the corporate DNS servers from SME manager, and then create a file /service/dnscache.forwarder/root/servers/domainx.com with the contents 172.29.0.34 and 172.29.0.35 on separate lines.

There doesn't seem to be any way to achieve this from the web interface.

If you are about to do so please see if these files are templates like most configuration files on SME Server. FOr more details have a look in the SME Server Developers Guide linked from the wiki.

[JK]

If you are about to do so please see if these files are templates like most configuration files on SME Server.

well I'm creating a new file in the folder, so naturally there won't be a template for that file.

[jptechnical]

I am having a similar difficulty. Here is my scenario (names changed to protect the innocent):

Code: [Select]

sme.example.com is my sme server (in testing)
  ip: 10.0.0.88
  gateway: 10.0.0.1
  corp.dns: 10.0.0.1

mail.example.net is my (personal) mail server
  ip: 10.0.0.60

10.0.0.1 is my gateway running dns (glorified hosts file) for local lan, it has host records for mail.example.net --> 10.0.0.60
The problem is that from the console on sme.example.com I ping mail.example.net and it resolves to the internet. The sme server is getting mx records from the internet, which is fine, but it is trying to deliver to preference 1 (web host) not preference 0 (my public IP), I presume this is the case because the firewall is not letting lan traffic route out and back in again through the public address, so it fails immediately on pref0 and goes to pref1 which is at the web host.

When i try and ping mail.example.net it resolves to the public IP, not the private ip of 10.0.0.60. So, the corporate dns entry does not appear to be doing anything of value. I added a couple records to /etc/hosts, and now I can ping the address and it resolves internally just fine, however, when I send mail to the domain, the mail server still tries to send to pref1, leading my to believe that it still resolves mail.example.net to the internet address.

I have tried adding the domain to my sme server with all three options for resolution... the net effect is either the same issue or the mail for example.net just gets delivered locally.

What am I doing wrong? I really need to test mail on this thing, but I can't seem to do it this way. Every other mail server and server distro (lin or win) lets me add a host record or respects my dns server and delivers mail without issue... even if they grab mx records from the web, they still resolve that mail.example.net from the mx record according to the hosts file or the dns server.

Help?

[arne]

Don't know is this is any answer, to the question(s) but there is a simple trix for the situation that the dns resolving works correctely for external users on internet, but not for local users on lan. Like Linux has its /etc/hosts file also Windows PC's has a host file, that can be used to override how the dns resolving mechanism works for local windows (XP) clients.

The Windows XP hosts file has normally this address: C:/windows/system32/drivers/etc/hosts This file can be manually edited.

In this way each local (Linux or) Windows client can be configured to do dns resolving as you want them to do it. If works quite well as long as there is only a few client PC's to configure.

[mercyh]

It works quite well as long as there is only a few client PC's to configure.

or if it is pushed out by netlogin.bat

[jptechnical]

Both good ideas. I loooove hosts files... you can do some pretty amazing stuff with host files and logon scripts.

My problem, though, is with the sme server not using either my internal dns server or a host file to resolve internally for mail. Again, it pings internally, but when it tries to mail it goes to the public address (afaict).

Thanks though.

[mercyh]

When i try and ping mail.example.net it resolves to the public IP, not the private ip of 10.0.0.60. So, the corporate dns entry does not appear to be doing anything of value. I added a couple records to /etc/hosts, and now I can ping the address and it resolves internally just fine, however, when I send mail to the domain, the mail server still tries to send to pref1, leading my to believe that it still resolves mail.example.net to the internet address.

I saw this part and actually added the last post for the next person reading this instead of for your exact situation.

Would this post help you?
http://forums.contribs.org/index.php?topic=41780.0

or this?
http://forums.contribs.org/index.php?topic=41763.0

[mercyh]

I don't think that last link applies to you but this one may:

http://forums.contribs.org/index.php?topic=40563.0

[linuxhelp]

Hello @ All

i run SME as DNS-Serveronlymode with DHCP enabled
at Office i have 4 PCs with Ubuntu-Linux DHCP
why do SME not recognize the DHCP IPs an update its
own DNS Table? Do the admin must always put manually
local IPs into server-manager hostnames?
the resolv.conf of the PCs is updated and nslookup to google.com
is ok, but nslookup to local net-PCs doesn't work.
Thanks..

[electroman00]

Suggested Setup...

Code: [Select]

                            +------ ADSL connection
                |           |
                            +------ router DMZ ( 1to1 Nat) ----- corporate DNS servers - >> (No office PCs)
                |           |
                            +------ router DMZ ( 1to1 Nat) ----- SME Server in (server gateway mode) SME Lan side used for SME Admin ONLY.
                |           |
                            +------ router Lan ( 1 to many Nat) ----- office PCs (No SERVERS -- Security Issues & maybe Double Nat Issues)

You didn't state what router you have, if it's a brick router, junk it and use a real FREE firewall Smoothwall, IPCop, pfSense, $$$ Cisco...etc.

600MHZ PIII 512mb and 3 nic's and launch Smoothwall, IPCop, pfSense..etc and your good to go.

Networking rule #1 --- Never put a SERVER (WEB, Mail, or any other type) on a (office PCs) LAN..!!!

If one hacks the SERVER connected to a LAN then in effect they have hacked the LAN (office PCs) as well.

Separate networks with controlled access to what ever your needs may be = Damage Control.

Networking rule #2 --- Make your job easy and the hackers job as difficult as possible.

The above solves your DNS problem and all future problems, well your going to have some problems, but the correct setup
leads to easy solutions as well as complete control of the networks at hand.

Users / Hackers / Viruses / Tojans / Pirates / Spammers / Plishing / Spoofing / last but not least EMAIL's = The need for Damage Control

And one get's to keep their job, if they don't make any other stupid mistakes (i.e. wireless foobar setup's).

http://community.smoothwall.org/forum/viewtopic.php?t=24531

This starter setup...
http://home.c2i.net/jeaskildt/smoothie/NetworkDiagr/basic2.jpg



HTH

For those that don't agree with rule #1 "Google is your friend".....

Have a good day...