Configuring “Split DNS”, “NAT Loopback” or “Hairpin Nat” for On-Premise Installs
Introduction
If you are installing 3CX on-premise, you must configure an FQDN that resolves both externally (from outside your network) and internally (within your local network). The best way to achieve this is to create two zones for the same FQDN, one for external users and one for internal.
This is also called a “Split DNS”, “NAT loopback” or “hairpin NAT” configuration. This allows users to seamlessly connect with the 3CX Apps or the 3CX Web Client whether they are in or out of the office - using the same secure FQDN / URL to the Web Client.
Furthermore it ensures that access to the Web Client is via a secure FQDN and not an IP, which sooner or later will be disallowed by a modern browser.
To achieve this you must have a DNS Server or firewall in your local LAN that can be configured to do this.
Configuration and naming on popular firewalls
In this guide we have created an example using Microsoft DNS server which is included in Microsoft Windows Server. We have used a 3CX provided FQDN, although you can do this with a custom domain as well. The process is similar for other DNS Servers.
Depending on your network configuration, it is also possible to use your firewall to achieve the same thing. On a firewall it is referred to using a different term depending on the vendor, e.g. Loopback NAT, Split Brain DNS etc. Here are some links to terminology and configuration guides from top firewall vendors:
- Sonicwall - Loopback NAT - How to configure
- Draytek - LAN & DNS forwarding - How to configure
- Pfsense - DNS resolver - How to configure
- Watchguard - NAT Loopback - how to configure
- Fortinet - Hairpin NAT configuration- How to Video (general)
- Cisco - Split DNS
Configuring Split DNS on Microsoft DNS Server
Step 1: Create a New Zone
From the Windows Server Manager application:
- Click “Tools” on the top right on the Server Manager window and from the drop-down menu select “DNS”. The DNS manager will open.
- Right-click on your server’s name and select “New Zone…”
- The New Zone Wizard will open. Click “Next”.
- Leave the default “Primary zone” selected and click “Next”.
- Select “Forward lookup zone” and click “Next”.
- Enter your zone name. This is your 3CX FQDN, for example “mypbx.3cx.eu”. Click “Next”.
- In the Zone File page leave the default options selected and click “Next”.
- In the Dynamic Update page leave the default options selected and click “Next”.
- Click “Finish”. Your newly created zone will now appear under Forward Lookup Zones.
Step 2: Add a New Host
- Right click on the zone you have just created and select “New Host (A or AAAA)…”
- Leave Name Empty so we force usage of the parent domain (Which is the FQDN).
- In the IP Address field enter the local IP of your 3CX server.
- Click “Add Host”. A dialog will appear confirming that the record was added.
Step 3: Test your DNS Entry
To verify that your DNS server resolves your FQDN to the correct IP address:
- Open a command prompt window on a computer in your LAN.
- Type in nslookupfollowed by your domain name, e.g.:
- nslookup pbx.example.com
- If the DNS settings are correct, you should get the IP address of the host you specified.
This concludes your configuration of Split DNS! You can now use a single FQDN whether on the local network or outside the office!
See Also
Last Updated
This document was last updated on 18 June 2023
https://www.3cx.com/docs/creating-fqdn-split-dns/