-1

I am not really sure where to start with this one...

I have a small network setup with some linux servers (Ubuntu 11.04 Server).

2 servers are running BIND 9 (NS01, NS02), they are configured as master and slave respectively.

1 server is running Zimbra ZCS 7.1.1 (MX01), it has a private BIND 9 server running to achieve a split DNS configuration. This DNS server does not interact with the other two, it forwards queries it can resolve to the other 2 that is it. No zone transfers.

Zimbra is hosting 3 domains at the moment, solignis.local, solignis.com, campbellsurvey.net.

The problem

From with in my network I cannot connect to mail.campbellsurvey.net. When I mean I cannot connect, I mean if I open firefox and type https://mail.campbellsurvey.net I go nowhere, the address is supposed to connect to my Zimbra webmail. But it goes nowhere, the odd thing is if I try the same task from outside of the network it brings the website up like normal.

If I try to create an account in thunderbird to connect to the same server using IMAP4 or POP3 I get an error saying that thunderbird cannot find the domain name. Even the zimbra client fails too.

It is like from with in my own walls that campbellsurvey.net does not exist. But if step outside I can get it work with no problem at all.

I had thought maybe the problem was with the DNS server (BIND 9), so just to eliminate it as a possibility I configured a windows server I use for VMware VCenter as a DNS server to see what would happen. The result was the same, its like something is preventing connections to those domains, but I have checked various firewalls and such. I checked port forwards, etc. So I am running out of ideas

I know this is not a lot of information to work from and I can give more details about certain things as needed. I am just trying to figure out what could be going wrong.

Any help you could offer would be much appreciated.

AtomicPorkchop
  • 1,975
  • 8
  • 34
  • 55

2 Answers2

1

There is a chance that your router/firewall is not allowing the "loop-back" of internal traffic to your public IP and then back into your internal systems. Some equipment just do not support that functionality while others require specific configuration to enable it.

If your internal lookups are resolving to your public IP and your servers are only responding to internal requests through their internal IP, then the probability of this situation is pretty high.

user48838
  • 7,431
  • 2
  • 18
  • 14
  • The internal hostname of the mail server is `mx01.solignis.local` the internal domain is `solignis.local` If I enter that into Thunderbird or my web browser it works fine. So my internal lookups are resolving to my local dns, but because I do not have a zone file for `campbellsurvey.net` I am under the impression it forwards it queries to OpenDNS which is set in my forwarders. I am guessing that I am missing something. – AtomicPorkchop Jun 26 '11 at 01:22
  • "mail.campbellsurvey.net resolves to 10.0.0.20 internally." Is 10.0.0.20 the server that you are trying to reach? – user48838 Jun 26 '11 at 02:05
  • yes, 10.0.0.20 is an virtual address on the server. – AtomicPorkchop Jun 26 '11 at 02:06
  • But is it the server you are intending to reach? If so, then you may need to check the configuration of that server to see if there is anything limiting its response when contacted via another "10"-net device. – user48838 Jun 26 '11 at 02:29
  • yes it is the server I am trying to reach. Well The odd thing is if I type the ip address 10.0.0.20 I can hit the server locally with no problem at all – AtomicPorkchop Jun 26 '11 at 02:42
  • Based on your accepted solution, it comes back to my original point of looped traffic from your internal-to-external-internal being stopped/dropped. – user48838 Jun 26 '11 at 10:33
  • @user48838 Definitely - +1. – Shane Madden Jun 26 '11 at 18:07
0

What address does it resolve to internally?

If it's resolving to the public address, and the mail server is inside your network, then you likely need to change your DNS settings to resolve to the internal address for internal devices.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • `mail.campbellsurvey.net` resolves to 10.0.0.20 internally. – AtomicPorkchop Jun 26 '11 at 01:11
  • `mail.campbellsurvey.net` is not a domain internally only externally. my internal domain is `solignis.local` the mail server internally is `mx01` – AtomicPorkchop Jun 26 '11 at 01:24
  • I mean, specifically, what output do you get when you run `nslookup mail.campbellsurvey.net`? From your statements, I'm going to assume that it's the public address since you don't have an internal DNS zone for that domain. As @user48838 stated in their answer, your network equipment is likely only able to connect traffic bound to your public address that comes into your public interface - your internal network devices have no idea that the public address that name resolves to should point to 10.0.0.20. – Shane Madden Jun 26 '11 at 02:10
  • I get a non authoritative answer from my local DNS server. Saying that mail.campbellsurvey.net is reachable at 98.XXX.XXX.157 which is correct. Which means my registar's DNS is configured right when I set it up. – AtomicPorkchop Jun 26 '11 at 02:18
  • 1
    @Solignis Right. But think about where that address is configured - not on the computer. Likely on your firewall's external interface, with NAT to send it to the internal address. The traffic bound for there from your inside network is going to route out through your firewall, then back down to your firewall from your ISP, and get dropped since it's a loop. You need to have your **internal** devices connect to an address that can be reached **internally**, likely via split DNS. – Shane Madden Jun 26 '11 at 02:23
  • That makes sense. So you are saying it being dropped because it thinks the traffic is spoofed or something. I will look into split DNS. That is what I had to setup in order for Zimbra to work right. – AtomicPorkchop Jun 26 '11 at 02:44
  • So with split DNS I would just setup a "fake" campbellsurvey.net zone in my DNS and that would fix my problem from with in the network. But the registar's DNS would still work on the outside? – AtomicPorkchop Jun 26 '11 at 02:57
  • @Solignis Yup - if you set it up on your AD, that'll work just fine; if you set it up on your public-facing bind servers then make sure you configure the splitting. – Shane Madden Jun 26 '11 at 03:13
  • Perfect that will work nicely. Thanks, on side note I think part of the problem is my m0n0wall, now I can't get SMTP to work from external. But that is another topic. – AtomicPorkchop Jun 26 '11 at 03:19