Site is not reachable via DNSFilter
Hello. We have recently installed a new server and have put it out to the internet for the basis of free wifi for clients. This has a DNS Record setup on our external DNS Registrar and has been setup for a while. I can get to this site from any outside source (Such as our main office). This is connected to our client's internal network by means of our firewall and a NAT Rule.
However, internal to the network, it does not resolve at all. I believe it is DNSFilter somehow not updating the DNS Records because I can use nslookup to find the site using Google DNS (8.8.8.8) and it will resolve.
DHCP sends out the DC's IP for DNS, and the DC has the forwarders to DNSFilter. Only our portable computers have the DNSFilter Roaming Client.
Is there a way to check this?
Thank you!
Pete
-
Hi Pedro Gaytan , thanks for reaching out! It sounds like your setup is running into a common issue when a domain is both externally hosted and used internally—this can cause DNS resolution problems if DNSFilter is handling queries meant for your internal network.
To address this:
1. In the DNSFilter dashboard, go to Deployments → Local Domains and add the domain you’re trying to resolve internally.
2. Under that same Local Domains entry, add your internal DNS resolver (your DC’s IP) in the Resolvers section.
3. Confirm your DHCP is handing out the DC’s IP to clients (it sounds like you’ve already done this, which is good).This tells DNSFilter to bypass external resolution for your internal domain and forward those queries directly back to your DC. Here's a detailed guide for setting up Local Domains and Resolvers, as well as a short troubleshooting article if you run into any issues.
If this doesn't help, reply to this thread and work on some next steps!
0 -
Hi Minetta. Thank you for your response.
I did try this out, and it did not work.
I notice that the “Local Domains” portion of the DNSFilter interface relates to the queries sent by the DNSFilter Roaming Client. I am accessing via a non-portable computer which does not have the roaming client. Instead, it direct DNS entries to the DC, and the DC has DNSFilter IP Addresses as it's DNS Forwarders.
The address I am accessing is able to be hit from the outside of the network as it is in our DNS registrar. However, internally, I cannot hit that external address to route back in.
Thanks!
Pete
0 -
We have ourselves a tricky one here, Pedro Gaytan , but we're here to help! Our Support team would like to help address the issue, but need to know a few more details in order to provide the best advice.
I'm going to start a ticket from this post—you should receive a notification shortly! Please reply in that ticket addressing these questions:
- Is the access issue on free/public Wi-Fi?
- Can you explain what you mean by a new server? What does it host?
- Is the server a web server/IIS site hosting your own website?
- Does the site you're attempting to access have the same domain suffix as the AD environment?
- Have you already tried adding the internal A record of the resource to the DC?
0 -
Hi Minetta.
I can give you the answers.
1: This is on the internal networks, not a free or public Wifi Connection.
2: The server we installed hosts a Free Wifi Landing Page which will then be used to send guests to the internet after signing in. I dont want to give private info here, but as an example: DNS Name is freewifilanding.domain.com. This is a server internally at 10.10.10.5. We have our DNS Registrar via GoDaddy and the freewifilanding.domain.com site points to a public IP we have, which is then NATted internally.
3: It is a web server, and it is running Linux.
4: I believe so.
5: Yes, for one of the ones I was trying to use, not the public one in public DNS.
I can give more detailed information in the internal ticket. I just did not want private info here on the forums.
Thanks!
Pete
0 -
Minetta,
I learned something new about DNS today! Turns out, the domain that we use was also in the internal DNS on the server, as found on the DNS application in the DC. This was causing the devices internally to reach out to the DC and resolve the domain internally rather than going to the internet.
If we did not have the domain internally like that, it would have worked as expected.
----
For anyone else who stumbles on this:
If your domain name via your DNS registrar on the internet is domain.com, and you have “domain.com” as a lookup zone in the DNS application on your DC, your devices will look to the DC to resolve the request. If it does not find it, it will refuse to resolve. In this case, add an A record to the internal DNS pointing to the server you need.
From what I learned, it is recommended to not have your internet domain on your DC, and you should only have domain.local as the lookup zone.
----
I appreciate you and Trent for reaching out and helping with this.
Thanks!
0 -
Hey hey, glad you got it fixed! And thank you for providing a summary of the solution—that's normally my job 😉 Please reach out if anything else comes up; we're happy to help!
0
Please sign in to leave a comment.
Comments
6 comments