Re: DNS in two domains (one on a DMZ)
From: Rich (Rich_at_RW.com)
Date: 07/09/04
- Next message: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Previous message: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- In reply to: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Next in thread: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Reply: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Reply: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Jul 2004 17:19:36 +0100
ObiWan and Philip
Thanks for your responses.
The structure I have is a simple Back to Back with an ISA server on each
end.
My understanding was that a split DNS structure was the most secure in this
situation.
In order to create this I would need to create a stub zone on the DNS Server
in the DMZ. As a result of this, I would need to create a server publishing
rule in order to allow for the DNS query and DNS zone transfers to occur
between the two different subnets.
At first in the lab scenario i just wanted to get this going. after that I
intended to put two DNS servers into the DMZ (one as an advertiser and one
as a resolver (cache only forwarder to the internet)) which I believe is the
structure that ObiWan is talking about. I have already created the packet
filtering that he mentions.
I'll go back and have a look at this. I think theoretically this should
work.
Unfortunately I do not have any precise questions at the moment.
Rich
"ObiWan" <anzen.NO@SPAM.gmx.net> wrote in message
news:ucUmrQZZEHA.3144@TK2MSFTNGP12.phx.gbl...
>
>
> <snippage>
> > You don't "publish" any DNS.
> > All clients point to the Internal DNS, it is turn uses a Forwarder to
the
> > DNS on the DMZ, which in turn uses a Forwarder to the ISP's DNS.
> >
> > That is the best I can tell you with something like this. If I was in
> that
> > position I would go way, way, out of my way to create a simpler
situation.
>
> FULLY agreed !!!
>
> Also, consider setting up TWO DNS servers on the DMZ, one will
> host the AD data and won't be published but only used as above
> while the second one will only contain the public zone data and
> will be published; also be sure to setup the packet filtering to allow
> incoming queries on 53 UDP _and_ TCP; I've seen published DNS
> without the TCP rule too often and such a thing may cause a whole
> lot of strange problems
>
> Regards
>
>
>
- Next message: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Previous message: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- In reply to: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Next in thread: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Reply: ObiWan: "Re: DNS in two domains (one on a DMZ)"
- Reply: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
