Another DNS Thread - Internal and External IP

[Mo_Hong]

Hi All,
I have to say that we have tried everything we found on the different threads here at the forums, we tried th DNS in a Nutshell and the Split DNS in the WIKI, as I told before we have tried almost everything. Here is the situation, we need to configure a zimbra server with two network interfaces, one with a private IP and the other with a public IP. We have already configure the internal DNS to resolve for the private IP, and for the public IP we have no-ip resolving the host and the mx. We still cannot receive mail from outside domains, we can send, internal mail can be received but external mail from any domains we tried (gmail, yahoo, hotmail). Please any clues, any extra information regarding how to configure. We will really appreciate this.

Regards....

[scottnelson]

Before I get into your question, why would you need to multihome this box?
Do you really need to do this or maybe a different solution can be done if you give us more info?
Are you trying to setup a DMZ or something?

Just asking before getting into this is why I bring it up is all. ;-)
There may be other solutions that don't require DNS trickery.

Scotty

[Mo_Hong]

Hi Scotty,
well, this is a requierement we have from a client. We have our own server configured with the external IP and it works just fine. This client want to configure the external so the users when they are outside the office get to the mail in the DMZ he has setup, and through the internal when the users are in the office, because he thinks that the access to the client will be faster, I think it can be a little faster but not that much. I agree with you about the multihome, we don't find it very practical, but can it be done??

Regards,

Mo

Again thx in advance

[scottnelson]

The reason I asked is becuase by letting users access by a "back-door" onto the local LAN, which is what they are appreantly asking for, they are defeating the entire perpose of the DMZ, which is to protect the internal network in case of a server breach.
Why have a DMZ at all if they are going to dual home and give some direct access to the local LAN segment? Right?

Unless you have a really slow DMZ segment, I am not sure that a speed gain would be anything less than negligible at best.

If you still want to do this ( shrug ), your internal DNS ( separate server completely than the external DNS ) shouldn't have any MX records, as the internal clients don't use it anyway.
The server should be pointed at the external DNS(s) with the public DNS zone info.
So, your internal zone will only have an "A" record ( for inside IP Address ) for the server and the external will have the "MX" and "A" ( using Outside/public ) IP Address.
Of course, this will break other things like SSL and internal spam filtering stuff so, you will have to tweak a lot of things going this route and also repeat these tweaks every time you do an upgrade so be sure to keep good records of what you did as you do them.

Personally, I would do some testing and get an idea if speed is actually an issue or not before I headed down this road.
I'm just sayin' ...... ;-)

If you really still want to do this, post your both your internal and external zonefile info ( I would recommend you hide the first 3 octets of your public IP Addresses in your external zonefile for security reasons if you do post your zonefile here ) so we can verify all is well with the DNS stuff anyway.

Hope this helps.

Scotty

[Mo_Hong]

Well, I'll give it a try and post the files as soon as I do the testing.

Regards,
Mo