Re: Root Hints or forwarders?

From: Herb Martin (news_at_LearnQuick.com)
Date: 10/15/04

  • Next message: Daniel R. Tobias: "Re: Intranet Naming Standard?" 
    Date: Fri, 15 Oct 2004 15:08:35 -0500

    "huff-n-puff" <huffnpuff@discussions.microsoft.com> wrote in message
    news:20AF6B9C-E623-41E3-9B6D-D20F57342492@microsoft.com...
    > Hi
    >
    > You say to use forwarders but on which servers the internal or DMZ? Which
    > should have "do not use recursion" set? Internal or DMZ?

    Both (sets) probably. But you asked about the Internal servers
    primarily so the answer was largely focused on those and did
    indicate doing it on both.

    Use the forwarding tab on the INTERNAL DNS server properties,
    and set the forwarder (external server, either the DMZ or the ISP
    as appropriate but I vote for DMZ) and on that same tab set the
    "do not use recursion" so that the DNS server will NOT use both
    methods.

    You might wish to do the same on the DMZ DNS servers but here
    you would definitely use the ISP.

    Just be sure to AVOID the "disable recursion" check box in the
    ADVANCED property *** as it turns off BOTH forwarding and
    recursion. (They changed this dialog in Win2003 to avoid the
    confusion.) 

    -- 
Herb Martin
>
> Thanks
>
> M
>
> "Herb Martin" wrote:
>
> > Forwarders. <grin>
> >
> > > I have 2 DNS servers AD integrated authoratitive for the internal DNS
zone
> > > only, I also have 2 external DNS servers on our DMZ as
primary/secondary
> > for
> > > our internet facing zones.
> > >
> > > I want to keep the internal DNS servers from querying anything other
than
> > > the 2 DMZ based DNS servers when looking up external hostnames.
> >
> > Use Forwarders, and check "do not user recursion" on that SAME
> > "Forwarders" dialog page (not in advanced since that disables
> > forwarders TOO.)
> >
> > Without that checkbox you internal servers will both forward AND
> > physically recurse the root.
> >
> > > I also want the 2 DMZ DNS servers to only query our ISPs DNS servers
when
> > > they do lookups.
> >
> > Good too -- you can use the ISP for forwarding, or you
> > can use your own external servers for that if you don't
> > even want your DCs going as far as the ISP.
> >
> > Generally, you DCs should be firewall/filtered so they
> > cannot reach the Internet even if you forgot to stop such.
> >
> > (You can make exceptions for places like Windows Update
> > OR you can just run an Internal SUS server for there updates.)
> >
> > > What is the best way to do this?  Forwarders or replacing the root
hints,
> > > should I turn off recursion on the servers anywhere?
> >
> > Forwarders.  (and check the do not use recursion, making it unnecessary
> > to mess with the root hints.)
> >
> > > Thanks for any help.
> > >
> > > M
> >
> >
> >
  • Next message: Daniel R. Tobias: "Re: Intranet Naming Standard?"