Solved How to see an external website from inside our corporate network

---

I have tired to find a way to do this and failed, so I thought I'd ask if you have a solution.

Our public website is hosted by a company that hosts many sites on the same server/IP. As I understand it, they distinguish between sites by looking at the URL you send. So, if I'm anywhere but inside of my corporate network, I can type http://www.mydomain.com to see my web page. The browser providers are now treating WWW as a trivial sub-domain and stripping it off of the start of a website URL, The problem it creates is, if I'm inside of my corporate network, www.mydomain.com gets changed by the browser to mydomain.com which resolves to my domain controller. I see no way to distinguish between someone wanting to get to my domain controller and the outside website. When they didn't elide the trivial sub-domain, a record in my DNS zone for WWW would send users to the outside website. I should mention that I have an IIS server on my domain controller. It supports maintenance of a 3rd party application.

Any suggestions?

@Kevin-Davis ,

This is a common issue when the public facing name is the same as your internal AD domain. The best solution is to always use subdomains for internal namespace. For example, www.itpro.tv would be our public facing namespace. This is being hosted by third-party public dns servers, so from the outside, www.itpro.tv resolves to our public facing web servers. Internally, our AD domain is corp.itpro.tv. This namespace is being hosted by internal DNS servers. That way, there is no conflict over who the authoritative DNS server for itpro.tv is.

In your case, everything works from the outside, using public DNS servers. But from the inside, your DNS server thinks it's authoritative for the mydomain.com namespace, and is resolving the name itself, instead of forwarding to the parent, public DNS server.

So ideally, you should rename your internal domain to a subdomain of mydomain.com. Something like corp.mydomain.com. If you cannot, or don't want to do this, you will need to make sure your internal DNS server is in sync with the public DNS server by manually creating the A record for www.mydomain.com on your internal DNS server to match the A record for www.mydomain.com on the public DNS server.

So if they have an A record www.mydomain.com 12.1.2.34, you would create the same record on your internal DNS servers. That way when you are inside the corp network, www.mydomain.com should resolve to the same IP address as when you are outside.

Let me know if this makes sense, and more importantly, if it works!

Forgive me, but I'm a bit confused. The problem is with the web browser. It drops the www from the start of the domain name before it tries to resolve it. So, it wouldn't it still resolve to my internal mydomain.com? Or are you suggesting that we host not mydomain.com only corp.mydomain.com?

In you second suggestion, you speak of adding a record to our DNS server. I do have a www.mydomain.com record in my system. And, if I ping www.mydomain.com it properly resolves to the outside server. The problem is caused by the browser folks 'helping' us by removing the www.

@Kevin-Davis ,

I believe you are referring to Chrome's decision to hide trivial url components in the address bar (who thought that was a good idea ‍️). I'm pretty sure this does not affect the actual DNS query. If you click in the address bar to edit, you will see the entire URL is displayed, including the http(s) and www. I am launching Wireshark now to verify.

@Kevin-Davis ,

The removal of trivial domains is only for the display field in the Chrome browser.

Here is what it looks like after visiting the URL www.bing.com

Here is what it looks like once you click in the address bar.

Here are the Wireshark packet capture results, where yo can see the query being sent, including the www

So I don't think your problem is the browser, rather it is with the name resolution process.

@Kevin-Davis ,

Can you run a packet capture so we can see what is happening?

I have wireshark but don't know a lot about running it. I'll give it a try. When I ping www.mydomain.com it gets the external address and pings that as I expect it should. When I try to go there with the browser, I get the server on my domain controller. Strange behavior.

@Kevin-Davis ,

Make sure you flush the DNS cache on your local machine ipconfig /flushdns as well as the cache on your DNS server dnscmd.exe /clearcache

Ping only uses DNS to resolve names, Windows uses many sources, like host files, cache, NetBIOS, and LLMNR. This can lead to inconsistent results between say, ping and the browser.

@Kevin-Davis ,

What happens if you type in the external IP address in the browser address bar?

Typing the IP into the browser won't work. The provider has many different sites on the same IP. They parse the requested URL to know which site to return.

I've been poking about in Wireshark and may now have a clue. I found a get request to the external site. When I look at what is returned, there is a line that says: 'Location: http://mydomain.com/'

Therein may be the problem. The site is internally using the domain without the www!

So, if I'm reading this correctly, the site is being contacted up front but because of its reply, followup requests are going to the wrong name.

I'll have to see if that can be fixed.

@Kevin-Davis ,

Good catch! You've got to love Wireshark!

Sound like you are on to something, let me know what happens!

I'm definitely not the web guy, but I stumbled across this, maybe it's related

You can automatically remove the www prefix from your domain's URLs by using Apache rewrite rules in a custom .htaccess file

Thanks Mike. I think I understand what's happening with DNS now. I don';t want to do the work to implement your solution unless I have to. I do have a call into our web guru. I captured one of the pages and ALL of the links and references start with http://mydomain.com. Nothing internal to the pages use the www prefix. I think THAT is the major issue and should be easily fixed. I'll know more after our discussion.

I do thank you for your help. At least I better understand what our DNS system is doing and I believe that its pointed me in the right direction.

On another note, I think you're the best presenter at ITPro.tv. I appreciate your videos.

Regards,
Kevin

@Kevin-Davis ,

Yeah, I wouldn't wish renaming a domain on anyone! Definitely a last resort. But good info if you ever get the joy of starting from scratch.

Thanks for the kind words, keep watching ITProTV! We are happy to have you as a member!

Stay safe