How to configure a SonicWALL so you don’t have to use split DNS
Here’s a problem I see sometimes: you’ve got a small LAN and a NAT firewall. Let’s say your web server is www.company.com with an IP address of 192.168.0.5. Via NAT it also has an external address of 3.3.2.5.
You want the PCs on your LAN to be able to see www.company.com. When they resolve the name using DNS they get the external address 3.3.2.5. Unfortunately your firewall doesn’t let them access that address or any address in the DMZ. They can only get to the web server using its internal address of 192.168.0.5.
What many admins do in this situation is to set up “split DNS”. That is, they set up an additional DNS server just for the LAN clients. This server gives out the internal IP addresses instead of external ones. This setup sucks because it means you have to keep track of names and addresses in two places. If anything changes you have to update your real (public) DNS and the internal DNS server. If you add a host name to one but not the other some clients won’t be able to connect.
Another option is to use WAN port loopback. Most firewalls support this but I’ll give instructions for SonicWALL, since that’s what I’m familiar with. SonicWALL calls this feature “DNS NAT Loopback”.
Using SonicWALL SonicOS 3.x:
- Create a new NAT policy with the following parameters:
- Original Source: LAN Subnets
- Translated Source: WAN Primary IP
- Original Destination: (the server’s external IP address)
- Translated Destination: (the server’s real/internal IP address)
- Original Service: Any
- Translated Service: Original
- Inbound Interface: Any
- Outbound Interface: Original
If you do this, you should use a different domain name for your internal network. Many companies already do this: using a .local domain name seems to be common with Active Directory. Clients can resolve www.company.local to get the web server’s internal IP address. If they resolve www.company.com, they’ll get the external address.
For clients that are always on the internal network (anything not a laptop), you’d point them to www.company.local for the web site, mail.company.local for mail, and so on. That way they don’t have all their traffic to company servers routed out and back in through the firewall.
For laptops you’d point them to www.company.com for the web site and mail.company.com for the e-mail server and so on. They are location-independent and don’t have to change their configuration depending on whether they are in the office or on the road.
So if you have to maintain a DNS zone for the internal network (.local or whatever), why not go ahead and do split DNS? My answer is that split DNS requires you to maintain another DNS zone, one that can get out-of-sync easily. The zone for your internal network is probably updated automatically with Active Directory or dynamic DNS. The extra zone you would add for split DNS has to be maintained manually. And the extra zone would need a copy of all of your company.com DNS records — with IP addresses modified as appropriate.
Finally, you may be worried about the amount of traffic that is looping back through your firewall. Will this slow it down? Think about which IP addresses need to be looped back. They are the external IP addresses of servers which are available from the Internet. For most small companies this means the e-mail server. Maybe the web server (if it’s not hosted offsite). Everything else — your file server, Windows domain controllers, and so on, doesn’t have an external IP address. That traffic stays on your LAN and never gets looped back. So for a typical small company the additional traffic is minimal.
More information: SonicWALL Tech Note: Configuring DNS NAT Loopback
