# DNS server and routing



## Deleted member 39223 (Jul 13, 2013)

Hi friends, 

I have two FreeBSD servers: Server 1 is DNS. Server 2 is Apache. 

I have a public sub-domain as I have pointed to my public IP address (A record) and made NAT from ZyXEL NBG4615 router on port 53 and 80 to server 1*.* I have created a zone file on server 1, and when I do nslookup I get the local IP address of the server 2 return. 

I've tried to do NAT on port 80 directly into the server 2*.* It works without problems. And when I from a PC on the network, manually place the server 2 as DNS and do nslookup again so I can see the call server 1 returns Server 2's IP address. 

When I type the sub-domain name I am sent to my public IP address. Then I hit server 1*.* And then it has to send me to server 2 (because it is in the zone file). But it does not. I turned off all firewall's from, but without success. 

What remains for me to do, or what have I done wrong?


----------



## ShelLuser (Jul 13, 2013)

I'm having a hard time getting my fingers behind your situation and understanding the problem, but let's see how far we can get.



			
				jacobsj said:
			
		

> I have two FreeBSD servers: Server 1 is DNS. Server 2 is Apache.
> 
> I have a public sub-domain as I have pointed to my public IP address (A record) and made NAT from ZyXEL NBG4615 router on port 53 and 80 to server 1*.*


If server 2 runs Apache, then why do you forward port 80 to server *1* instead? Wouldn't it make more sense to forward port 80 to the server which runs the Apache webserver?

Also: what exactly do you mean with a public sub-domain? It appears as if you claim the (sub)domain is public because you used NAT to allow outside access to your servers. But just providing access to your DNS server is not enough to make a domain publically available.

That is; it would become available to everyone who uses your DNS server. But for the rest of the world the domain wouldn't exist or, if someone else had registered it, it wouldn't point to your setup.

Just to try and keep things clear here. If you registered a domain with some domain merchant, then pointed all the records to your servers, then yes; this would be a public domain.



			
				jacobsj said:
			
		

> I have created a zone file on server 1, and when I do nslookup I get the local IP address of the server 2 return.


Assuming that we're talking about a public (so registered, see above) domain then this would be a bad thing(tm).

If the local IP address sits somewhere in the so called private range block then no one on the Internet would be able to access them. With private range I'm referring to these IP address ranges:


```
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
```



			
				jacobsj said:
			
		

> When I type the sub-domain name I am sent to my public IP address. Then I hit server 1*.* And then it has to send me to server 2 (because it is in the zone file). But it does not. I turned off all firewall's from, but without success.


I fail to understand how the public IP address all of a sudden came into play, but I get the impression that English isn't your native language so I'm also trying to compensate a bit for things which I may have missed (or simply didn't understand at all).

But in the end it boils down to this I think: People from the outside end up on server 1 when doing an HTTP request on your subdomain which provides them with your public IP address. Because of the port forwarding you described earlier they end up on server 1, yet you now expect them to get forwarded to server 2.

Unless you set up some proxying services or other fail-safe mechanics that is obviously not going to happen. It doesn't quite matter what you put in your zonefiles. If someone requests a page from webserver 1 then the best thing that server can do is either redirect the client somewhere else (which will make the client itself connect to a different server) or act as a proxy of some sort.

In the case of a proxy the client remains connected to the main server, and the server will then contact another server on behalf of the client. In a way such a setup is comparable to port forwarding: whenever someone connects to your subdomain they end up contacting your ZyXEL router. The router then picks that up, forwards the request to server 1 which then processes the request and sends all the stuff back to the ZyXEL which then sends it back to the original client.

And in your case it's of course impossible to redirect a client directly to server 2 because not only does it use a private IP address (or so I understand); from the clients perspective he's only connecting to 1 server and that's your public IP address which is handled by your ZyXEL.

I hope this can help you get some better understanding.


----------



## Deleted member 39223 (Jul 14, 2013)

ShelLuser said:
			
		

> I'm having a hard time getting my fingers behind your situation and understanding the problem, but let's see how far we can get.
> 
> 
> If server 2 runs Apache, then why do you forward port 80 to server *1* instead? Wouldn't it make more sense to forward port 80 to the server which runs the Apache webserver?



I have only one public IP address. But I need to have a minimum of two web servers. I think that if I make my own (local) DNS server, so I can solve my problem. When a request of a domain name, then server 1 using zone files, make sure to redirect the user to the correct server 2 (or 3 or 4 etc).



			
				ShelLuser said:
			
		

> Also: what exactly do you mean with a public sub-domain? It appears as if you claim the (sub)domain is public because you used NAT to allow outside access to your servers. But just providing access to your DNS server is not enough to make a domain publicly available.
> 
> That is; it would become available to everyone who uses your DNS server. But for the rest of the world the domain wouldn't exist or, if someone else had registered it, it wouldn't point to your setup.
> 
> ...



With public domain/subdomain, I mean only that it is a domain name as found on the Internet - not a "test.local"-domain 




			
				ShelLuser said:
			
		

> But in the end it boils down to this I think: People from the outside end up on server 1 when doing an HTTP request on your subdomain which provides them with your public IP address. Because of the port forwarding you described earlier they end up on server 1, yet you now expect them to get forwarded to server 2.



Yes, exactly! 

As I understand it, do I need proxy on server 1. Zone files on server 1, refers to server 2's local IP address (192.168.xx). It makes a lot of sense that it will not work.

Can you recommend any proxy software?


----------



## ShelLuser (Jul 14, 2013)

jacobsj said:
			
		

> I have only one public IP address. But I need to have a minimum of two web servers. I think that if I make my own (local) DNS server, so I can solve my problem. When a request of a domain name, then server 1 using zone files, make sure to redirect the user to the correct server 2 (or 3 or 4 etc).


I can somewhat follow your line of thinking, but unfortunately this is not going work. Because you see; a webserver will only provide local contents to a remote client. If your website references other sites (on other servers) then it's not the webserver itself but always the clients browser which will retrieve those contents.

So to get a client to use a different server you'd either need to redirect him to that server, or use some form of proxying. However, using a proxy also means that the client continues to use the first server. If you want to use two webservers for load balancing or something similar then this is obviously not a solution. 



			
				jacobsj said:
			
		

> As I understand it, do I need proxy on server 1. Zone files on server 1, refers to server 2's local IP address (192.168.xx). It makes a lot of sense that it will not work.
> 
> Can you recommend any proxy software?


I may have a better solution for you.

While you may have only 1 public IP address you still have several ports available. I'm not sure what you're trying to accomplish, but if you need people to be able and access both of your webservers then why not use two ports?

Configure your ZyXEL to forward port 80 to server1 and port 81 to server2.

Now, when a client contacts your first server and you need to redirect him to server 2 you could now simply redirect him to the same domain (so the same IP address) but this time using a different port number.

For example, say your domain is mydomain.com; on a website running on server1 you could then use a redirection to http://mydomain.com:81/ which would then effectively tell a client to re-connect after which he gets forwarded to server 2.

Maybe that could help you out?

As to your question about a proxy server: that's the cool thing about Apache; it's already on board. You'll want the mod_proxy module, but you may need to recompile Apache because this module isn't enabled by default.

Here is a webpage which explains some of the things you can do with mod_proxy.

Hope this helps!


----------

