Re: DNS in two domains (one on a DMZ)
From: Phillip Windell (_at_.)
Date: 07/09/04
- Previous message: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- In reply to: Rich: "Re: DNS in two domains (one on a DMZ)"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Jul 2004 12:03:06 -0500
"Rich" <Rich@RW.com> wrote in message
news:%234Tl2EdZEHA.716@TK2MSFTNGP11.phx.gbl...
> The structure I have is a simple Back to Back with an ISA server on each
> end.
Ok.
> My understanding was that a split DNS structure was the most secure in
this
> situation.
Split DNS is used mainly when you have used the same FQDN on the private
network as you have on the Public Network. So just having more than one DNS
Server doesn't always mean it is the "split" type. Split-DNS is a specific
type of setup. DNS isn't my best area when it starts getting "deep" so
maybe some of the other guys here can help with that. Here is a link to an
article for using Split-DNS in an ISA invironment:
[Those are underscores, not spaces between the words]
You Need to Create a Split DNS!
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
By the way, that is the actual name of the article,...I'm telling you that
you have to do that :-)
> In order to create this I would need to create a stub zone on the DNS
Server
> in the DMZ. As a result of this, I would need to create a server
publishing
> rule in order to allow for the DNS query and DNS zone transfers to occur
> between the two different subnets.
I would think that just a simple stand-alone DNS Server in the DMZ would be
used for resolving names on the DMZ. You LAN's DNS would just have the
DMZ/DNS listed as a Forwarder. Then the DMZ/DNS would have the ISP's DNS
listed as a Forwarder. All your LAN Clients would only list the LAN/DNS
in tier setting and would go to the LAN/DNS, if it doesn't resolve then it
goes to the DMZ/DNS via the Forwarder entry, if it still doesn't resolve
then it goes to the ISP's DNS.
How to: Configure DNS for Internet Access In Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202
I don't see that there needs to be any "transfers" or any Zones flying
around anywhere, and I don't think there needs to be any kind of "intimate
relationship" between any of the DNS's other then the contents in
Forwarder's lists. Just "Keep It Simple" as the saying goes. But like I
said, DNS isn't my best subject so maybe other may have better ideas.
As far as ISA.....
The outermost ISA would publish any required Servers on the DMZ to the
Public Internet. The innermost ISA would not have any role in that. The
innermost ISA would publish any LAN Server that need to be accessed from the
DMZ. The really bad thing is if a LAN Server needs to be published all the
way out to the Public Internet,...I would, as much as possible, avoid
creating a situation where that needs to be done. It can still be done, but
it seem "messy" to me.
Your LAN clients when accessing resources would not make any distinction
between Servers on the DMZ ans Servers out in Internet-Land,...as far as
they are concerned it is all the Internet. The DMZ just looks like the
Internet to them.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Previous message: Phillip Windell: "Re: DNS in two domains (one on a DMZ)"
- In reply to: Rich: "Re: DNS in two domains (one on a DMZ)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
