DNS: Forward Lookup Zones

ISSUE: Your boss has tasked you with creating some new service (such as an instant messaging server), or perhaps management wants to move your company’s external website from third-party hosting to internal hosting. In either case, the service will be accessed by both internal and external users. Traditionally, this would require the use of two names: an internal one (“chatserver.internaldomain.local”) and an external one (“chatserver.externaldomain.tld”).

PROBLEM: Using two names creates confusion in two ways. First, your users might not be technically savvy enough to understand the difference between internal and external names. They might try accessing the chat server or website using the external name from inside the company or the internal name externally, either of which will result in failed connections. Secondly, your firewall or proxy server software might not handle internal->external->internal connections gracefully. If your internal users try to connect to your company’s external website, chances are that DNS will resolve to an external IP address; most firewall, proxy or NAT software that I’m familiar with don’t care for this type of setup at all, and problems may result from configuring your domain this way.

SOLUTION: Use a Forward Lookup Zone in your local DNS to resolve “external” IP addresses to local ones. This allows you to give your users a single address for the new chat or web server. And since anyone inside the company will use local DNS to resolve your external domain to local addresses, you can avoid any unpleasantness with your proxy\firewall software, since the packets will never hit the proxy in the first place.

1) Start the DNS Manager by clicking on Start > Administrative Tools > DNS.

2) Under your server name, right-click on “Forward Lookup Zones” and select “New Zone”.

3) The “New Zone” wizard will begin. Click “Next”.

4) Choose “Primary Zone” and make sure that the “Store the zone in Active Directory” is checked. Click “Next”.

5) The next screen will prompt you to choose whether to replicate the DNS data to other DNS servers in your forest, domain, or to domain controllers only. Choose which is appropriate and click “Next”.

6) In the “Zone Name” window, enter the name of your zone (typically this would be EXTERNALDOMAIN.TLD) and click “Next”.

7) On the “Dynamic Updates” screen, you need to choose an option for dynamic DNS updates. Since this zone should be completely static, I normally choose “Do not allow dynamic updates”, but you might want to choose one of the other options if you need to. Choose one, then click “Next”.

8) Click “Finish” on the final window of the wizard.

The zone has now been set up. Now we need to enter some entries into the zone itself:

1) In the DNS Manager window, click on the zone you just created. In the right-hand pane, right-click in some whitespace and choose “New Host (A)”.

2) What you type next depends on what you want to do. For example, if your company uses a third-party to host your external website, you’ll need to create DNS entries for the external site. To do this, leave the “Name” field blank, then enter your site’s external IP into the “IP Address” box, then click “Add Host”. Repeat the process, this time typing “www” in the “Name” box and putting the external address into the “IP address” box, clicking the “Add Host” button when done. You might need to repeat this process yet again if your company uses external email (provided it’s on the same domain as your web hosting, such as MAIL.EXTERNALDOMAIN.TLD); this time enter your mail server’s name (usually “mail”), then enter the external IP address of your mail server and click “Add Host”. If you are creating a new service (such as the chat server), enter the name of the new server (such as “chat”) into the “Name” box, then type the LOCAL IP address into the IP address field and click “Add Host”. When done, click “Cancel”.

3) You’re probably going to want to test everything, so open up a command-prompt and try pinging all your “new” DNS entries. If you get errors, double-check the DNS entries you just created. If they appear to be correct, type IPCONFIG /FLUSHDNS at a command-prompt and try pinging the server names again.

4) If you are creating a new service, you will need to go to your company’s external name servers (typically these are run by either your company’s ISP or your domain registrar). There you will need to create a new CNAME record for the new service. Since different companies have different methods and different interfaces for editing DNS records, I won’t go in to detail here – call your ISP or registrar if you have any questions. Also, if you’re moving your website from a hosted to a local domain, you’ll need to edit your site’s external A records at the ISP or registrar. Again, because different providers have different methods and interfaces for doing this, I won’t go in to detail here.

The only thing you really need to remember here is that creating a new Forward Lookup Zone means that your local DC\DNS server will now resolve all entries for whichever external TLD you create. So if you neglect to add all of the existing host names and addresses to the new zone, your users will get error messages when trying to connect to a service run on the TLD domain, or if your external web host changes your website’s IP address, all local users will be unable to get to your company’s website until you update the A records of the parent domain and www entries. And if you have an IT person, be sure to talk with him or her before you make any of these changes!

3 Replies to “DNS: Forward Lookup Zones”

  1. I love reading this blog. I came across it searching one day and decided to bookmark it. Keep up the great work!

  2. What if you have 200 websites hosted on an internal server, do you need to create 200 FLZ’s or is there a more efficient way of accomplishing this?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.