How does a organization DNS server keep track of hostname => IP address mapping?

Question

Within my organization network, if a machine has computer name(hostname), say, desktop-x, i am able to ping to that machine using just "ping desktop-x".

But the ping actually converts desktop-x to FQDN in order to query the DNS server for the corresponding IP address. So if my organization domain name is company-x registered under com, then FQDN for the machine is desktop-x.company-x.com

So, ping actually queries "what is the IP address for desktop-x.company-x.com". Now, when the organization DNS server gets this query, how does it know which IP address is assigned to desktop-x, since desktop-x is assigned a private ip dynamically by DHCP.

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Answer 1

desktop-x is assigned a private ip dynamically by DHCP

There are three options:

1. When Active Directory is in use, workstations self-register by sending DNS "UPDATE" packets to the authoritative server (which is usually the AD domain controller).

   This is possible even without AD – but then you need to allow unauthenticated updates, or set up custom update methods. AD just automates it using Kerberos (i.e. GSS-TSIG).

2. When DHCP is in use, most workstations will report their hostname in the DHCP request packet. The DHCP server will then contact the authoritative DNS server (quite possibly using the same DNS "UPDATE", as isc-dhcpd does) to insert the hostname into DNS.

   This is exactly how local hostnames (.lan/.home domains) are implemented in consumer routers.

3. Finally, the DNS mappings may be added manually, if the DHCP server has manually configured leases for all machines, issuing them static addresses.

   (Nowhere in DHCP does it say that addresses must be temporary, random, or private. A static lease assigning a global address is perfectly valid.)

Provided the DNS server keeps track of (hostname=>ip address) somehow, then why can't i ping the same machine from outside the network with "ping desktop-x.company-x.com"?

Sometimes you can.

The usual reasons why it won't work for most domains:

1. The machines have private (RFC1918) IPv4 addresses, which are unreachable outside the site – the Internet has no route for them.

   This is usually, but not always, the case. Some organizations have massive pools of global IPv4 addresses (e.g. MIT had an /8) and every machine can get one. And some organizations run IPv6, in which every machine always gets one.

2. The network is behind a firewall which blocks incoming connections.

   This is a must if the machines have global addresses (regardless of IP version). Quite important even if the address are private (behind a NAT), even though people tend to confuse this with the NAT itself.

3. The machines have local (host) firewalls which block incoming connections, or just specifically incoming ICMP pings.

   This is the default on standalone Windows systems: they only accept pings from their local subnet and drop them from anywhere else.

4. The DNS domain has multiple views: internal queries see different mappings than the general public does. Often the "public" view doesn't have internal hosts at all.

   (This is not a standard DNS feature, but many authoritative servers such as Bind implement it – by checking the source IP of the query.)