Re: Nameserver scenario with advertisers and resolvers - Solution Sum
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Tue, 23 Aug 2005 18:31:25 -0400
In news:E535B51F-9414-42B6-98AB-55764BE8EB47@xxxxxxxxxxxxx,
ACE-Joe <ACEJoe@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then
commented about below:
> Summary:
>
> Public DNS in the DMZ:
>
> 1. I setup two DNS servers in a Primary/Secondary configuration,
> created zones for all my public domains, configured them as
> advertisers. These are the two "hidden" DNS servers. No public
> records reference them and no queries are made to them.
>
> 2. I setup two more DNS servers in a Primary/Secondary configuration
> setup as advertisers with no recursion, no root hints, no forwarding.
> I created all my zones for all public domains. I setup the
> nameservers at the registrar to point to each one respectively ns1
> and ns2 using their public IPs.
Actually for #1 and #2, one of the #1 servers will be the Primary. The
others in #1 and #2 will hold secondary copies. This way any changes you
make on the primary in #1 will zone transfer to the others.
Disable recursion on these guys under the advanced tab.
>
> 3. I setup two more DNS servers as resolvers, basically caching only
> servers. No zones, forwarding enabled to the ISP, and kept root
> hints for failover.
That's fine.
>
> Internal DNS:
>
> 1. I setup two DNS servers (NO AD YET) in a primary/secondary
> configuration. I created the zone for the internal domain. I enabled
> DDNS registration. I enabled forwarders to point to the two
> resolvers in the DMZ. I removed the root hints.
No need to remove the Roots.
> 2. I created stub zones for the various public domains hosted on the
> DMZ DNS servers. This allows me to resolve the public domains
> internally on private IPs for the internal LAN clinet workstations.
That's fine. But if there is one particular zone the same name as your AD
zone, that would be useless. You would need to manually create the records
on the internal zone just for that one zone. if you are using the same AD
name internally as externally for that specific zone.
>
> This is how I ended up making this configuration work. The "hidden"
> setup is way overkill for us, and I'm not sure we will impliment it,
> but I had to do the work to prove it works. DNS is up and running,
> everything works, resolves correctly, and I'm very pleased with the
> results. My test lab will undergo more testing tomorrow, but its all
> working very well right now. I still have some Port forwarding
> issues to resolve in the firewall for the DMZ and incoming traffic
> from the internet, but other than that, its working great! I even
> setup IIS on the primary DMZ DNS server to test for website hosting
> in this configuration and it works great!
I hope your DMZ is routed using an actual public IP range. Port forwarding
in NAT will only work with one port to one internal IP only.
>
> Thanks for all your help/suggestions!
>
> Joe
Cheers!
.
- References:
- Nameserver scenario with advertisers and resolvers
- From: ACE-Joe
- Re: Nameserver scenario with advertisers and resolvers
- From: Ace Fekay [MVP]
- Re: Nameserver scenario with advertisers and resolvers
- From: ACE-Joe
- Re: Nameserver scenario with advertisers and resolvers - Solution Sum
- From: ACE-Joe
- Nameserver scenario with advertisers and resolvers
- Prev by Date: Re: Nameserver scenario with advertisers and resolvers
- Next by Date: Re: Net diag = error : DNS Test failed
- Previous by thread: Re: Nameserver scenario with advertisers and resolvers - Solution Sum
- Next by thread: Forwding to a site on a port in IIS
- Index(es):
Relevant Pages
|
