Re: Root Hints or forwarders?

From: Herb Martin (news_at_LearnQuick.com)
Date: 10/16/04

  • Next message: Herb Martin: "Re: zone transfer" 
    Date: Sat, 16 Oct 2004 13:18:01 -0500

    "Lee" <leweb2000@hotmail.com> wrote in message
    news:uYUlL83sEHA.316@TK2MSFTNGP11.phx.gbl...
    > My vote is to set to internal forwarding to the ISP and never the dmz.
    >

    Why don't you give some reasons and such for that opinion....

    Setting it to the DMZ machines means that you internal DNS
    servers (especially DC-AD Integrated DNS servers) can
    be prevented from going outside AT ALL.

    Although it might make as much or more sense to use a
    caching only DNS server on the INSIDE firewall (that's
    what I do), this element was not mentioned in the scenario
    he proposed. 

    -- 
Herb Martin
> Lee
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23fVJiSvsEHA.1308@tk2msftngp13.phx.gbl...
> > "huff-n-puff" <huffnpuff@discussions.microsoft.com> wrote in message
> > news:20AF6B9C-E623-41E3-9B6D-D20F57342492@microsoft.com...
> > > Hi
> > >
> > > You say to use forwarders but on which servers the internal or DMZ?
> Which
> > > should have "do not use recursion"  set?  Internal or DMZ?
> >
> > Both (sets) probably.  But you asked about the Internal servers
> > primarily so the answer was largely focused on those and did
> > indicate doing it on both.
> >
> > Use the forwarding tab on the INTERNAL DNS server properties,
> > and set the forwarder (external server, either the DMZ or the ISP
> > as appropriate but I vote for DMZ) and on that same tab set the
> > "do not use recursion" so that the DNS server will NOT use both
> > methods.
> >
> > You might wish to do the same on the DMZ DNS servers but here
> > you would definitely use the ISP.
> >
> > Just be sure to AVOID the "disable recursion" check box in the
> > ADVANCED property *** as it turns off BOTH forwarding and
> > recursion.  (They changed this dialog in Win2003 to avoid the
> > confusion.)
> >
> >
> > -- 
> > Herb Martin
> >
> >
> > >
> > > Thanks
> > >
> > > M
> > >
> > > "Herb Martin" wrote:
> > >
> > > > Forwarders. <grin>
> > > >
> > > > > I have 2 DNS servers AD integrated authoratitive for the internal
> DNS
> > zone
> > > > > only, I also have 2 external DNS servers on our DMZ as
> > primary/secondary
> > > > for
> > > > > our internet facing zones.
> > > > >
> > > > > I want to keep the internal DNS servers from querying anything
other
> > than
> > > > > the 2 DMZ based DNS servers when looking up external hostnames.
> > > >
> > > > Use Forwarders, and check "do not user recursion" on that SAME
> > > > "Forwarders" dialog page (not in advanced since that disables
> > > > forwarders TOO.)
> > > >
> > > > Without that checkbox you internal servers will both forward AND
> > > > physically recurse the root.
> > > >
> > > > > I also want the 2 DMZ DNS servers to only query our ISPs DNS
servers
> > when
> > > > > they do lookups.
> > > >
> > > > Good too -- you can use the ISP for forwarding, or you
> > > > can use your own external servers for that if you don't
> > > > even want your DCs going as far as the ISP.
> > > >
> > > > Generally, you DCs should be firewall/filtered so they
> > > > cannot reach the Internet even if you forgot to stop such.
> > > >
> > > > (You can make exceptions for places like Windows Update
> > > > OR you can just run an Internal SUS server for there updates.)
> > > >
> > > > > What is the best way to do this?  Forwarders or replacing the root
> > hints,
> > > > > should I turn off recursion on the servers anywhere?
> > > >
> > > > Forwarders.  (and check the do not use recursion, making it
> unnecessary
> > > > to mess with the root hints.)
> > > >
> > > > > Thanks for any help.
> > > > >
> > > > > M
> > > >
> > > >
> > > >
> >
> >
>
>
  • Next message: Herb Martin: "Re: zone transfer"
    Loading