Using a Split DNS to Support Small Business Remote Access Connections

Historically, this was only a dream for small businesses. However, the easily availability of fast broadband connections makes it possible for any small business to connect to their office network with a minimum of hassle. When you put together a remote access solution for your small business, you’ll be able to connect to your home or business network from anywhere in the world.

There are several requirements you’ll have to meet before your small business remote access solution will work for you:

  • You’ll need to figure out what type of remote access suits you best
  • You’ll need to get an ISP account that allows remote access to your network
  • You’ll need a router or firewall that allows you to “map ports” for incoming connections and/or allows incoming VPN connections
  • You’ll need to configure a split DNS

Let’s look at each of these issues in more detail.

What Type of Remote Access Do You Need?

Remote access is the process of accessing “stuff” on your office or home network from a location outside of your network. For example, suppose you have a home office network and you need to travel from time to time. You have a laptop you take with you when you travel, but your laptop hard drive isn’t nearly large enough to hold all the files you need when you’re on the road. In tact, you often don’t even know what files you’ll need when you’re on the road.

Another example is when you host your own mail server in your small business or home office network. You might have Microsoft Small Business Server and you host your own Exchange mail server. You want to be able to access your email from anywhere so that when you’re on the road, you just need to open your laptop, open your email program, and your mail is right there for you.

Remote access is used most commonly for the following:

  • Outlook Web Access (OWA) – OWA allows you to access information in the Exchange Server’s mailbox store using any Web browser. If you use Exchange 2003, then your OWA will look very much like Outlook 2003.
  • Exchange ActiveSync – if you have a PocketPC PDA, you use ActiveSync to get your mail into your PDA device. The PocketPC pocket Outlook program has many of the features you use on the full Outlook program on your desktop.
  • Outlook Mobile Access (OMA) – OMA is a boiled down version of OWA. You use a Web browser to access the Exchange Server OMA site. The OMA interface allows you to send and receive mail in a fashion similar to OWA, but with a much more simple Web interface.
  • Simple Web access – You can “publish” a Web server containing files you most commonly use. For example, if you have a file server containing all your files, you can make that file server’s files available to you over the Internet.
  • POP3 or IMAP4 mail access – POP3 and IMAP4 are popular email access protocols that almost any email program can use to connect to a mail server on your small office or home office network. You can use any mail server for this and it does not require Microsoft Exchange. For example, Windows 2003 includes a basic POP3 email server at no extra cost.
  • Virtual Private Network (VPN) – VPN allows you to connect to your office and have you computer become part of the network in the same way as it would be if you were to plug the laptop computer into one of the hubs or switches on your network. VPN allows you access to all the information on your small office or home office network; it’s just like “being there”.

There are other applications that allow remote access to machines on your small office or home office network, such as pcAnywhere to GoToMyPC, but I do not recommend these applications because of the security implications involved with the use of these programs and their limited utility compared to other remote access options.

The most popular small business remote access scenarios include connecting to Web servers on the small office or home office network, VPN and connecting to a mail server on the small office or home office network.

Hosting your own mail and Web services can be profoundly satisfying. You have complete control over the servers and you gain the satisfaction that comes from independence from third parties for managing your vital information services. Self-hosting isn’t for everyone, though. But if you have a real “do it yourself” approach to life and the entrepreneurial spirit, you’ll enjoy the self-hosting experience and reap the benefits from your remote access solution.

Obtain an ISP Account that Allows Connects to Your Office

Many small businesses hear about remote access solutions to data contained on the small office or home office network and get excited by the prospect of “access anywhere”. This excitement quickly fades when they find that they’ve done everything they need to do and then it doesn’t work. A common reason for their remote access plans falling apart is that they don’t have an ISP account that allows remote access connections.

The most common type of broadband ISP account is what we commonly refer to as a “hobbyist” account. These accounts allow you to connect to the Web and use just about any Internet program while you’re in the office. However, the hobbyist accounts often do not allow incoming connections to your office. The result is that when you try to connect to your Web site or mail server from somewhere else (like a hotel room while you’re traveling), it doesn’t work.

Most ISPs allow you to purchase a business account that allows remote access connections. The price difference may be small, or it might be large. It depends on the type of remote access you’re interested in using. For example, some ISPs allow incoming VPN connections but no others, while some will allow Web connections, but not VPN. You’ll have to ask your ISP what types of connections you can make when you get a business account.

Some ISPs allow remote access VPN and Web connections, but not FTP connections. Some allow everything in, but they assume you will not use remote access because its not part of your “terms of service” agreement with the ISP. You’re best off always checking with your ISP to find the best solution for your remote access plan.

Obtain a Router Allowing You to “Map Ports”

“Port mapping” allows your router (such as the broadband router your ISP gave you) to forward incoming connections to your Web server or mail server. For example, suppose you’re traveling and you’ve plugged your laptop into the hotel broadband Internet connection. You want to connect to your OWA site to check the mail stored on your Small Business Server Exchange Server. You type in the URL like and press ENTER. The connection is made to your broadband router’s IP address to a “port” that has the number 80. The broadband router then forwards the connection to the Exchange Server’s OWA Web site and the response is sent to back to you through your office’s broadband router.

Most broadband routers these days have some sort of “port mapping” or “port forwarding” feature built right into them. The broadband router manufacturers include this feature because they know how popular remote access solutions are these days. One challenge that all small business and home offices have to deal with is the differences in how configuration is done with each broadband router, as the procedures vary quite a bit from router to router. You’ll need to pull out the manual or the Help files for the broadband router to figure out how to configure the port forwarding.

Once you have a broadband router performing port forwarding, you can configure it to forward incoming HTTP, SSL (secure HTTP), and other types of connections, based on your remote access requirements. If this part sounds easy, it is. However, configuring your mail server and email client sometimes is less than straightforward. If you’re using an ISA firewall to protect your small business, then you can find a lot of help and how-to guidance at Community and how-to help for other vendors, especially Cisco (who now owns Linksys), is less than friendly for the small business and home office user.

Configure a Split DNS

This is the most interesting and the most significant part of your remote access solution. It’s also something that most networking people, even people who claim to have a good understanding of networking and networking concepts, fail to fully appreciate. A split DNS allows you “access anywhere” and have that access be completely transparent. You’ll be able to connect to your mail server from within the office network and from anywhere else in the world, and it just works.

For example, suppose you use Outlook 2003 to connect to an Exchange Server on your small office or home office network. You use Outlook on your desktop PC to connect to the Exchange Server and you have all your contacts, calendar information, tasks and Journal entries stored on the Exchange Server. You like using Outlook and you’re very comfortable with it.

What happens when you leave town and stay in a hotel with a broadband Internet connection? You plug your laptop into the hotel’s Internet connection and open Outlook. Does it work? Most likely it will not. Let’s say you configured port forwarding to allow the Outlook connection through to the Exchange Server on your small office or home network. Will it work? Again, probably not. This is in spite of the fact you configured the appropriate port forwarding on your broadband router.

The Evils of the .Local Domain Name

Some people may be able to get it to work by changing the configuration of their email software. For example, suppose you use Outlook Express while you’re in your small business or home network location. You use POP3 and SMTP to get and send mail to the mail server in your office. You’ve set up Outlook Express to connect to your mail server using the mail server’s name, such as  Everything works fine while you in the office.

What happens when you get to the hotel room and you have your laptop configured to use Outlook Express using the name mailserver.offfice.local? It won’t work! The reason is that the .local name is illegal on the Internet. That is why you should never, ever use a .local name for your office network names.

This is especially problematic for small and home businesses using Small Business Server. The last time I looked, they recommended you use the .local domain name when naming your office network’s domain. This recommendation has been a disaster for many small business owners who want “access anywhere”. They find that when they move from the office to a remote location things just don’t work they way they expected and they end up having to reconfigure client applications and use different names when connecting via the Web browser. If only that had used a legitimate domain name, such as or, life would have been good.

Choosing a Legal Domain Name

When you choose a domain name for your small office or home network, choose a real domain name that has not been taken. For example, one of our domain names is We checked if that name was taken and because it wasn’t, we registered the name with Network Solutions ( We choose Network Solutions because its likely that they’ll stay in business for a very long time, while domain registrars with names such as “Go Daddy” sound a bit cheesy to us. These names don’t lend a lot of confidence that they’ll be around as long as Network Solutions.

After you choose a domain name and register that domain name with a domain registrar like Network Solutions, you can then configure the DNS server on your small office or home network to use that name for naming all the machines on your network. Your mail server might have the and your file server might have the name and your workstations might have names like Notice how all the machines on the network have a full Internet DNS name. This is required on Windows domain-based networks. The Active Directory domain name in this example is

You then configure your email clients to connect to your mail server using the domain name you gave the machine in the network. For example, if your mail server’s name is mailserver, then you configure your email client software to use the name when connecting to the mail server. This name is also entered into your Internal network DNS server so that Internal network machines can connect to computers on your small office or home office network using this name.

After configuring your DNS server and email clients, you can get to the business of configuring your public DNS server. The public DNS server is used by machines located anywhere in the world to connect to machines on your small office or home office network via the port forwarding you configured on your broadband router. The only machines that don’t use your public DNS server are the machines on your office network.

You can run your own public DNS server, but unless you have an extremely strong do-it-yourself entrepreneurial spirit, its best to leave this job to someone else. You can contract with your ISP or a dedicated Internet Services expert like to host your DNS. You can configure your own DNS resource record entries in the public DNS, or you can ask your provider to configure them for you. It depends on the type of arrangement you have with the Internet services specialist.

Dynamic DNS Services

Note that the above recommendation only works if you have a permanent public IP address configured on your broadband router. If you have a dynamic IP address, which is causes the Internet IP address on your broadband router to change from time to time, then you should use a dynamic DNS service like For my personal Web and email site, I use TZO and it works great.

Here’s how you do it. Let’s say your Internal network domain name is You check to see if anyone else has taken this name and you find out that it’s available. The next step is to go to and register that domain name with TZO. You then download their software to your email server or any other computer on your network that is always on. The TZO software will be able to tell what your Internet IP address is, and it will inform the TZO DNS servers to register your domain name to that Internet IP address. So, when a user somewhere on the Internet tries to connect to, they are sent to the Internet IP address on your broadband router.

Putting it All Together

There you have it, the split DNS. We call it a split DNS because there are actually two DNS servers responsible for the same domain name. There’s the DNS server on your small office or home office network that is responsible for your domain name and the Internet DNS server that is also responsible for your domain name. When computers are plugged into the small office or home office network, they use the Internal network DNS server and when computers are plugged into a network somewhere else, they use the public DNS server.

Now let’s bring it all together! Follow the bouncing ball and see why the split rocks:

  1. You use a laptop computer in your office. The network is configured to use DHCP to assign IP addresses to computers in your office and the office’s DNS server is automatically assigned to the laptop computer when it plugs into the network.
  2. You use Outlook 2003 to connect to your Exchange Server in your office. When you open the laptop and start Outlook, the Outlook program is configured to use and it connects to the Exchange Server on your Internal network.
  3. You go on a business trip. When you get into the hotel room, the first thing you always do is check the Internet connection, at least, that’s what I always do J.
  4. You then open Outlook and log into your Exchange Server, Bingo! It works. And it works without you needing to change any of the configuration settings on your Outlook email program. The reason why it works this way is because you have a split DNS. When you’re in the hotel and connected to the hotel broadband network, you are automatically assigned a DNS server address that contacts your public DNS server and sends the request to the Internet IP address on your broadband router.

This is what “access anywhere” is all about. Just plug into an Internet connection and get the information you need from your office network. You never need to be “stuck” without critical email or files again, all thanks to your broadband router and the miracle of the split DNS.


In this article we discussed some of the basics of an “anywhere access” plan that allows you to access information on your small office or home office network from anywhere in the world. A critical component of your remote access plan is the split DNS. The split DNS allows you to move from the office network to a remote location (like a hotel room or an airport with a wireless Internet connection) and access your office data without ever having to reconfigure your client applications – things just work!

If you’re interested in the details of how to make this all a reality, let me know at [email protected] and I’ll put together an article series on how small businesses with broadband connections can get the same remote access power that the big businesses have.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top