0

My configurations:

(0)Configured all-in-one server (windows 2008) IIS + DNS + AD (the only domain controller)internal IP:192.168.1.200 computer name: w2k8

(1)registered a public domain mydomain.com from ISP

(2)added HOST entry (A) mylan.mydomain.com from ISP domain entries, and point to my home router's only public IP address (say 123.123.123.123)

(3)On the home router (LinkSys Wireless-G), Made port forwarding (port 80 for web) to my all-in-one server 192.168.1.200

(4) I can successfully load my server web page from any public browser with http://mylan.mydomain.com/...

My Question:

How do I make the my internal server "w2k8.mylan.mydomain.com" to get ping from any remote internet PC? I tried port 53 (suppose to be DNS port) forwarding. I also tried play with ISP domain NS entries, but can't make it. I think it's quite possible. Please help.

Many thanks.

-Simon

simon
  • 3
  • 1
  • 3
  • I'm not sure I understand what you're asking? Are you trying to ping the server from the outside? Make it respond to DNS queries from the outside? Load your web site within the network? You will need to clarify your question quite a bit, perhaps make it more generic instead of pouring over the minute details. – Justin Scott Jun 06 '09 at 04:12
  • yes, I want to be able to do this: ping w2k8.mylan.mydomain.com The reason is to understand how my DNS working. – simon Jun 06 '09 at 04:16
  • Jason - 95 to 5 odds that he's putting private IPs in to the public DNS. – Evan Anderson Jun 06 '09 at 04:24
  • No, I didn't. I put my public IP in the public DNS. It's good because I can open my private server's web page by http://mylan.mydomain.com – simon Jun 06 '09 at 04:27
  • It's not clear to me that "w2k8.mylan.mydomain.com" is resolving to a public IP address. If you'll run the "nslookup w2k8.mylan.mydomain.com" command from a command-prompt you'll see whether it's resolving to your public IP, or to a private IP on your LAN (my guess is it's resolving to the private IP address of the machine "w2k8"). If it is resolving to a public IP and you really want to forward ICMP (PING is a type of ICMP packet) thru your firewall to that host then you'll need to configure that on your firewall (except that I'm not aware of any Linksys firewall that can do that). – Evan Anderson Jun 06 '09 at 04:31
  • Off to bed. I'll be interested to see how this turns out in about 6 hours. – Evan Anderson Jun 06 '09 at 04:33

2 Answers2

0

As a first statement: If the PCs on your LAN (like w2k8.mylan.mydomain.com) are using RFC1918 "private" IP addresses then it doesn't matter if people out there on the 'net can resolve their names or not-- they'll never be able to route packets there.

That aside, assuming you have a static IP address, you could put in an NS entry for "mylan.mydomain.com" into the public DNS for your public static IP address. You'll have to forward UDP port 53 through your firewall to your DNS server. At that point, you can put whatever records you want into that DNS server in the "mylan.mydomain.com" zone and they should resolve for users on the global Internet.

Just because they resolve, though, doesn't mean that the people out there can route packets to the addresses they resolve to. Keep that in mind.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks Evan, I do have port 53 forwarding in my router and I do have w2k8 entry in my local DNS entries. But when I ping w2k8.mylan.mydomain.com from internet, I get timeout errors. – simon Jun 06 '09 at 04:19
0

While it is possible for you to forward ICMP packets from the internet to your internal server, why would you want to? You can probably configure the Linksys to do port forwarding for packets that arrive at 123.123.123.123 and fwd them to 192.168.1.200. You are basically already going that with TCP port 80. I don't recommend it though. Is this b/c you want to monitor it? Are you sure that's what you want, b/c its not good security.

If you do port forwarding for udp/tcp 53 to from the external interface of the linksys 123.123.123.123 to 192.168.2.200 you will not open ping, you will be permitting them to perform DNS lookups. Once again, not a good idea.

The only address and ports you should "expose" to the Internet is for those services that you want to make publically available to the Internet.

netlinxman
  • 477
  • 1
  • 5
  • 10
  • Thanks. assume my setup is already good for DNS lookup but not for PING, how do I test my DNS successful or not other than using PING? – simon Jun 06 '09 at 04:26
  • The nslookup command performs DNS lookups. It's your friend. For what you want (looking up an 'A' record), just do an "nslookup " from a command-prompt. – Evan Anderson Jun 06 '09 at 04:27
  • Thanks Evan. The PING gives me something like this: Pinging w2k8.mylan.mydomain.com[8.15.7.107] with 32 bytes of data: Requests timeout; Requests timeout; Requests timeout; Requests timeout; The nslookup w2k8.mylan.mydomain.com returns: Name: w2k8.mylan.mydomain.com Addresses: 8.15.7.107 63.251.179.17 65.200.200.47 It's all strange addresses to me – simon Jun 06 '09 at 04:35
  • It's really undesirable to allow ICMP from the public Internet to hosts that are "protected" by your Linksys Firewall. – netlinxman Jun 06 '09 at 04:44
  • In fact, Linksys generally ONLY has an option that permits ICMP or "Ping" packets to hit the external interface ONLY. So, you might be able to ping 123.123.123.123 but it won't go any further. And you have to explicitly enable that. it's called "Block WAN Requests" (boolean) on my Linksys. – netlinxman Jun 06 '09 at 04:50
  • I thank you guys. all your suggestions really helpful. although I still can not ping or nslookup w2k8.mylan.mydomain.com from public,I believe it's either my router limitation (personal brand) or the internal DNS behind firewall is not supposed to resolve requests from outside public. Anyway, good advices guys. Unfortunate I can't give both of you right answers. this time I go with Evan. thank you both anyway. – simon Jun 06 '09 at 05:01