Accessing web server behind DNS from the internet

[LAazsx]

Hi all,

 

Just setup the Windows Server DNS server for the office, and am trying to access the web server in the network from the internet, but I can't get the DNS to route the traffic to the correct server. Instead, the DNS's IIS is responding to all requests. Works fine from inside the network though. Port forwarding isn't an option because we will be adding several web servers soon.

 

Things I've done:

1. Directed dev.mydomain.com and *.dev.mydomain.com to my public static IP.

2. Moved my DNS into and out of the DMZ (both didn't work)

3. Port forwarded 80 to the DNS

4. Directed dev.mydomain.com to the VM via Windows Server DNS

 

I have NAT and Routing features installed. I'm guessing there's a mis-configuration in the DNS or missing server role.

[Viper9]

If you want to reach your web server from the internet you'll need to add a record to your public DNS provider (GoDaddy for example). Usually people are using CNAME like www.yourdomain.com to achieve that. 

 

Then on your firewall, you'll need to do a port forward for incoming port 80 and 443 to your web server private IP address. 

 

Or if it's an "intranet" you'll need a VPN for the employees to connect to the web server remotely. 

[LAazsx]

1 minute ago, Viper9 said:

If you want to reach your web server from the internet you'll need to add a record to your public DNS provider (GoDaddy for example). Usually people are using CNAME like www.yourdomain.com to achieve that. 

That's #1

 

1 minute ago, Viper9 said:

Then on your router/firewall, you'll need to do a port forward for incoming port 80 and 443 to your web server private IP address. 

" Port forwarding isn't an option because we will be adding several web servers soon."

 

Thanks though

[Viper9]

In that case you might need to buy additional public IP addresses. 

[Jarsky]

1 hour ago, LAazsx said:

That's #1

 

" Port forwarding isn't an option because we will be adding several web servers soon."

 

Thanks though

 

This doesn't make sense. 

Are you saying that you have for example a /29 from your internet provider, and you have a public IP address assigned to your webserver? 

If that's the case, then you just need to make sure port 80/443 is open on your firewall. 

 

If you have a single public IP address, then

A) You cannot 'add several web servers soon' if they're all to be publically reachable. You can only bind a port once on a single interface/IP address. This is where reverse proxies and virtualhost come into play. 

B) You must have a private IP address assigned to the NIC on your webserver, so you must port forward from your public to private to reach it. 

 

Moving your DNS server around will do nothing. It merely translates hostnames into IP addresses. 

I assume you have just an A record setup. You can test from a machine if DNS is doing its job by doing just a simple NSLookup. Otherwise the issue is with the configuration of making your webserver publically accessible. 

 

Your DNS Server is not a router, do not forward ports to your DNS server. 

[LAazsx]

I see. I thought that there's a way to route *.dev.mydomain.com to 10.1.1.1 and *.test.mydomain.com to 10.1.1.2.

 

On 1/3/2020 at 2:42 AM, Jarsky said:

 

Your DNS Server is not a router, do not forward ports to your DNS server. 

So I have to look into setting up a router instead. Correct?

[Viper9]

3 minutes ago, LAazsx said:

I see. I thought that there's a way to route *.dev.mydomain.com to 10.1.1.1 and *.test.mydomain.com to 10.1.1.2.

 

So I have to look into setting up a router instead. Correct?

You'll need to setup multiple public IP addresses on the WAN interface of your firewall, and then do a port forward on each one for port TCP 80 and 443. 

[LAazsx]

I see. Got it. Thanks!

[AbsoluteFool]

On 1/2/2020 at 5:51 PM, LAazsx said:

Hi all,

 

Just setup the Windows Server DNS server for the office, and am trying to access the web server in the network from the internet, but I can't get the DNS to route the traffic to the correct server. Instead, the DNS's IIS is responding to all requests. Works fine from inside the network though. Port forwarding isn't an option because we will be adding several web servers soon.

 

Things I've done:

1. Directed dev.mydomain.com and *.dev.mydomain.com to my public static IP.

2. Moved my DNS into and out of the DMZ (both didn't work)

3. Port forwarded 80 to the DNS

4. Directed dev.mydomain.com to the VM via Windows Server DNS

 

I have NAT and Routing features installed. I'm guessing there's a mis-configuration in the DNS or missing server role.

Just some extra information that i felt was missing

DNS servers should be at port 53. Althought if you have a domain from godaddy they already have name servers for your domain, which renders a DNS server quite useless to just get a website up and running.

 

The most common way for serval web servers behind a public IP is using a Reverse Proxy as Jarsky mentioned. You would then port forward port 80 and 443 on the proxy machine. Then configure the proxy machine to get content from the web servers.

 

Also when you configure domains from a registrar to your own boxes using CNAME records, while it's simple it's not the correct way. You should change the A record for example.com, *.example.com and eventually www.example.com, this will avoid problems in the future depending on the complication on the website you are hosting.

 

And a last tip. NEVER use DMZ host. It's a poor habbit that people really should stop doing. DMZ host is maybe great for troubleshoting but have no use in a production envoriment.

[Scheer]

I think all of the information needed is already here, but when I first starting playing with this to setup multiple web servers I had a hard time wrapping my head around it, but once I figured it out and drew it all out it is actually pretty simple. So here is the basic overview of how it all works the way I set mine up:

 

Setup DNS Records on your domain host so sub1.domain.com, sub2.domain.com, etc goes to your public IP.

 

Port forward 80 and 443 to the IP of your Nginx reverse proxy server, so that server sees all the web traffic.

 

You then have a config file on the Nginx server that has something that looks like this:

 

server {
  listen 80;
  listen [::]:80;

  server_name sub1.domain.com;

  location / {
      proxy_pass http://192.168.1.11:3000/;
  }
}

 

You'd then have a section of the config like that for every sub domain you are using. In this case it is looking for something that came from sub1.domain.com on port 80, and will redirect it to your local 192.168.1.11 on port 3000. Then you'd setup another config watching for sub2.domain.com and route it to say 192.168.1.12 port 443, so on and so forth.

 

The other benefit to doing this, rather than just adding A records in your Windows DNS is that you can go to different ports and its easy to force encryption by setting up Lets Encrypt.

 

The one downside is that setting up the config can be a PITA depending on what you are doing. One of my services had a login page that didn't like Nginx being a middle man and it took a while to figure I had to add in a proxy_set_header deal, and then on a file server I had to do another line otherwise it would error if I uploaded a file over 1mb or something like that.