Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
castelon

Still Checking the Forum Out
Registered:
Posts: 7
Reply with quote  #1 
I work at a public library and we have a web server in our building. No one outside our building was able to access our web server. If I tried to ping our server from outside our building, an IP address was not found for our URL. We have a DNS server inside our building which we use for our local network. It contains host records for the computers in our building and all of the IP addresses that I have seen on the server are 10.1.x.x addresses. We were having no network problems inside of our building. A co-worker of mine restarted this DNS server in an attempt to resolve the problem that users outside of our building were having accessing our web server. I thought that this made no sense since this DNS server, as far as I know, serves only our LAN and has nothing to do with users outside our building (on the Internet) trying to access our web server. The restart did not solve the problem and we later found out that our contract for our public DNS record, which is maintained by GoDaddy I believe, had expired. We renewed it and users around the world were again able to access our web server.

Does anyone know why my coworker thought that restarting the DNS inside our building, which we use for our LAN, would solve the problem that we were experiencing?
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 18
Reply with quote  #2 
What's DNS?




(hahahaha [wink])

Before I go off into sidetrack-ville, let me state the obvious:
The only person who can answer your question is your co-worker.

That being said, DNS isn't the easiest thing to master, so it's no wonder that people get tangled in the weeds when a problem occurs... 

...especially if you remind yourself that when a problem like this occurs and people are waiting on us to fix it, our stress level goes up.  When we work under stress, we need to have a mastery of the system in order to work thru a problem calmly and without mistakes.

But, if we aren't too sure* about some parts of the system, we'll usually stumble.

*being unsure about something could be a simple:
"I haven't dug into that yet, but I'd like to really get my hands dirty when I've got more time..."   
but it could also be the more insidious:
"I'm an expert. I know how it works.  I set it up." (where setting it up consisted solely of plugging it in and attaching a monitor.)   (these are the people that I just reall.....ummmmm... never mind that thought.)

DNS.  One kid I worked with at my college help-desk thought /flushDNS was greater than sex.  He used it as his "go to" for every problem.  Forgotten passwords, can't find an email from professor, you name it.  <shakes head... kids....>  I use /flushdns so infrequently, that I forget how to spell it.

DNS.  I had one BOSS cause me more grief over DNS than I ever should be expected to humanly endure.  There were a TON of different DNS "things" he lit and threw in my foxhole, but one time, he told me to get the DNS "record file" from the old domain registrar because he wanted to use Network Solutions' DNS servers.  (We were with Network Solutions)

So I told him he just needed to go to the admin panel in NS and add the domain name(s) he wanted NS to host on their DNS servers.  (Where they were being hosted was a secret.  Everything was a secret with this guy) Anyways, he kept swearing he needed a file from the old company.  After some minutes of me dissecting his request in the hopes that I was missing some key info and him just getting angrier and angrier that I didn't just obey [wink]~ his request finally devolved into "they'll send an email with the record pasted in...

So I called 10 mins before quitting time, and talked to the sales rep for about 45 minutes... we hit it off, and laughed at all sorts of funny stuff until it started getting dark.  I had him send me an email with the ns lookup results pasted into it.  Turns out they moved to a new billing system a few years prior, and we didn't even exist in their system - but the rep remembered the place I was working for and my boss... otherwise, I could've been the crazy lady demanding nonexistent DNS files.  Zipped.  I need those DNS files now!  AND ZIP 'EM FER CRISSAKES!!!!  

Cheers,

~Spamzy


__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 35
Reply with quote  #3 
If your web server is in-house only, it should be a .local site not a .com or .net. It should not have an external IP address or port forwarding. An entry in the hosts file is all that's needed to point network users to it. One time I set up an in-house site & when I looked at the log files, the google bot had crawled it. It took me a few weeks to realize that wappalyzer which is a firefox add-on allowed the google bot to enter. Surprise.
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 18
Reply with quote  #4 
Quote:
Originally Posted by Donato
If your web server is in-house only, it should be a .local site not a .com or .net. It should not have an external IP address or port forwarding. An entry in the hosts file is all that's needed to point network users to it.


That's a good point.

Quote:
Originally Posted by Donato
One time I set up an in-house site & when I looked at the log files, the google bot had crawled it. It took me a few weeks to realize that wappalyzer which is a firefox add-on allowed the google bot to enter. Surprise.


Whoa.  I had used wappalyzer for a bit when it first came out and thought it was pretty cool.   (wait for this...) Right around then, I was taking an infosec class in college... my professor saw it on my laptop and also liked it so much he suggested it to the class during a talk on website security.    Gahhhhhh!!!

It's crazy that it allowed the google bot in... sounds like you did some damn good sleuthing!

~s


__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 239
Reply with quote  #5 
>> If your web server is in-house only, it should be a .local site not a .com or .net.
Not necessary.
We use the same domain name internally as external. The technique is called Split Brain DNS, see http://www.itgeared.com/articles/1020-what-is-split-brain-split-horizon-or/ .

In my opnion Microsoft introduced the .local TLD in the early days of active directory where DNS was often in the hands of the Linux guys in the company.  Those days when Linux guys didn't talked to Windows guys.  Because AD needs SRV records and BIND DNS didn't always suported it (I do not know exactly from which version BIND dns also supports srv record), it was easier to use DNS on Windows.  Of course using a different DNS domainname for AD.  Therefore the .local TLD.

If you need to addresse a website from inside: create an A record on the internal DNS server.
If you need to addresse a website from outside: create an A record on the external DNS server and be sure to create a inbound policy on your firewall.

__________________
Pieter Demeulemeester
0
Donato

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 35
Reply with quote  #6 
Spam wrote:
Quote:
It's crazy that it allowed the google bot in... sounds like you did some damn good sleuthing!


It took me about 3 weeks to find the answer.

Pieter wrote:
Quote:
Not necessary.

I'm sure that the split brain DNS works well but it seems to be a lot more work than using .local with an entry in the hosts file all of which takes a few minutes. If the Linux guys didn't talk to the Windows guys, neither one of them should have been there. 
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #7 
Quote:
Originally Posted by Donato
Spam wrote:


It took me about 3 weeks to find the answer.

Pieter wrote:

I'm sure that the split brain DNS works well but it seems to be a lot more work than using .local with an entry in the hosts file all of which takes a few minutes. If the Linux guys didn't talk to the Windows guys, neither one of them should have been there. 


Na the politics still happen.
Even in pure MS houses...


Why the person rebooted internal server, long known knowledge on a previous incarnation of the solution.
Replace the appropriate word in this story

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
castelon

Still Checking the Forum Out
Registered:
Posts: 7
Reply with quote  #8 
Thanks, everyone! I really appreciate your replies! I see from your comments that you also do not know why our local DNS server was restarted. I feel better now knowing that I am in good company!
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.