configuring DNS for many servers, 1x static IP - please help
This isn't specifically a linux question - more a general networking one, but i couldn't find anywhere else to put it so please bear with me.
my network runs 2x servers & 30x workstations, behind a standard ADSL router with a single, static public IP. we've never really had much to do with offering our internal services online, although our mail is stored internally through a mail.ourdomain.com linux box. Because this has been the only publically available service, our domain registrar's dns A record just refers the fqdn to our public IP. So far, easy peasey japanesey.
Now, ive been asked to build an additional service internally (a meeting rooms booking system), and to put it online. I'm not sure how to get the DNS redirects correctly set up to have these two services running online together.
our domain registrar manages our subdomain redirects (for example, requests to www.mydomain and shop.mydomain, which are both externally-hosted). I contacted our registrar to add an additional A record for bookings.mydomain.com), redirecting it to xx.yy.my.ip. but once it was in place, requests for bookings.mydomain.com were just being forwarded straight to mail.mydomain.com. Why is this?
Given that we only have the one static IP (i enquired about getting additional static IPs, but that meant installing extra phone lines..), how can both directs go to the right places? I would especially like to know as management want even more services to go public over the coming year.
our mail.domain webmail runs off ports 443/99/25 on its own server, and the bookings thing off another box's port 80 (although I'll change this to a custom port once ssl is in).
our internal dns server (an OS X Server) just has A records pointing FQDNs to internal IPs, with automatic reverse zones. I havent looked into other kinds of records (such as cname), maybe I need to? Or, perhaps this problem relates solely to our external dns? for example, I haven't contacted our isp to make any dns changes (and I had to when we set the mail server up) only the domain registrar's dns has been changed.
Is it possible to get these two http requests online without needing more lines to the building?
Must I need to install a dedicated firewall box to handle all requests?
Oh and obviously, the last thing we want to do is have our outgoing mail suddenly getting marked as junk, by because our mail server's dns transparency (ie. mx record resolution, etc) has changed.
Thanks in advance,
Where to start ... let me make a few points as this isn't just a simple dns question.
- public facing services (web, dns, mail ... ) should be hosted in a DMZ or a colo datacenter, not on your internal network
- you can overload your single static ip address with multiple services but you may need a decent firewall depending on the quantity (you may need to load balance/reverse proxy)
- the redirect for bookings.mydomain.com was probably done as a CNAME instead of an A record, but no matter which you still only have 1 ip address for the traffic to get sent to so you need the firewall/router to forward it to the correct server. You can have your www.mydomain.com server perform the redirect to bookings, or you can use mod_proxy to make it look like all traffic is coming from the www.mydomain.com server.
- your outbound mail won't get marked as junk because an MX record change
Forward port 80 on your router to the correct LAN IP. Even the cheapest residential-grade routers allow you to do that through their web interface.
and if I may say
To add to what has already been said:
This is NOT really a DNS issue, this is a firewall/routing issue. You need to have your gateway (router or firewall) forwar teh traffic to the correct servers. Since your mail server does NOT need port 80 traffic, (or 8080 or 8443) you can forward and convert ports without affecting your mail server in any way. (Though the additional traffic WILL change your throughput and usage profiles: possibly significantly.)
While the best you are going to be able to do without purchasing better connectivity and/or equipment will not be optimal, you should be able to craft a fully functional solution. When (if ever) they are ready to throw some money at this: you want a secure, easily manages firewall device such as from ASTARO, and a secure DMZ to reduce your exposure. You MAY need more bandwidth, but if you do not have adequate bandwidth then your firewall should have some QOS support to ensure that web or scheduler traffic does not shut your email down. (ASTARO has what you need, but is an annual licensing expense in addition to the initial hardware cost. Best answer IMOHO, but can be a hard sell if your manager is not IT or security trained.)
|All times are GMT -5. The time now is 11:37 PM.|