Re: Forwarders
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Fri, 8 Jul 2005 20:39:54 -0500
"jremmc" <jremmc@xxxxxxxxxxxxxx> wrote in message
news:u1dxxo9gFHA.3912@xxxxxxxxxxxxxxxxxxxxxxx
> Setting up AD-Integrated DNS on branch child DC. Branch is connected via
> Frame-Relay WAN to HQ (which contains our Root DCs and two other child
DCs),
> but also has second, direct T1 to Internet for Internet traffic.
>
> What is best practice -- Should Branch DNS Forwarders point to Root DCs
like
> HQ Child DCs do (and Root DCs point ot our ISP for public resolution), or
> can they point directly to our ISP to avoid the added Frame-Relay traffic.
There is no "best practice" here, except that every DNS server much
be able to resolve ALL of the names needed by it's clients; resolve
them either directly (from zone files) or through forwarding and/or
actual recursion.
> Root DNS replicates to all DCs in Forest, so child DC would have copy of
> Root Domain zone.
Then there is little necessity for the child DNS server to forward
to the root explicitly so more likely they should foward to your
"Firewall-DMZ" DNS" unless you feel that you can obtain some
more economies of scale and cache by using an itermediate forwarder
(e.g., the root DNS) and then test that expectation successfully.
Most of us do NOT want you to have DCs forwarding directly to
the outside, EVEN to the ISP. DCs should be kept ISOLATED on
your internal network.
Thus the DNS server(s) -- probably caching only -- in the DMZ
or on your firewall SHOULD deal with Internet names for ALL
internal DNS servers and clients.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Re: Forwarders
- From: jremmc
- Re: Forwarders
- References:
- Forwarders
- From: jremmc
- Forwarders
- Prev by Date: Re: How to set up secondary DNS and Stub DNS?
- Next by Date: LSA error causing repeated restarts
- Previous by thread: Re: Forwarders
- Next by thread: Re: Forwarders
- Index(es):
Relevant Pages
|
