Re: DNS re-structure

kTell <tmkeller@xxxxxxxxx> wrote:
> I have an internal DNS server, also does DHCP and DC, that I inherited
> as a kludge. I'm trying to get things sorted out, and I need some
> structure help.
>
> We have external facing web sites called company.com and company2.com.
> These live on a web cluster. They are registered and hosted names
> externally so they are resolved for oustide people. They also are in
> the Forward Lookup Zones of the internal server - and they have an A
> record etc. for each.
>
> We also have a testing environment testcompany.com and
> testcompany2.com. This is a staging environment that will turn into a
> live one.
>
> My questions are: What considerations do I need to remove the
> internal entries so that all requests for externally facing sites
> from the inside - will be resolved by external DNS servers?

This depends on your firewall, most firewalls and NAT devices do not allow
incoming connections on the public address from within the local network.
This is seen as a spoofed connection and are rejected.
Internal clients should not access external DNS servers for resources on the
local network. They need to access these local sites by their private
address.

> Such as
> firewalls blocking requests from inside that resolve back to
> internal?

This is just what I was referring to, your internal clients need to get
resolution for local sites from internal DNS servers.

> How do I configure the Primary (and a secondary too) DNS
> servers to query my ISP's browsing DNS server for each unknown
> request?

By using a Forwarder, keep in mind, DNS will not forward requests for names
it is Authoritative for, IOW, if you have a local zone for domain.com, DNS
will not forward requests for any name under domain.com to an external DNS
server.

> What ports do I have to allow open for this?

Your firewall should already allow outgoing requests on 53 TCP & UDP, in
fact, many firewalls support being a DNS proxy. That entails internal DNS
servers using the Firewall's address as its forwarder, in turn the firewall
forwards on to external DNS servers.

> Is there even
> a problem with overlapping DNS from internal to external?

Yes, if you have internal domains, DNS will not forward request for names in
that domain. You need to add records to the internal domain to resolve names
it does not have records for.


> Are there better advantages to having internal DNS for web sites that
> live internally but face externally?

For any internally hosted site, you should have that name resolved by local
DNS servers.

> Example, our firewall does our NAT and we want to setup a new site to
> an IP we already have pointed from our ISP to our firewall. I make
> the change. The DNS entry gets changed on our hosters side too - but
> internally, I don't want to make any changes. I want all requests to
> query external DNS so we can mimic what external users are having to
> do? This does seem cost prohibitive though..

If the site is hosted internally, it is likely that you cannot access the
site from a local client by its public address. You need a local DNS server
to resolve these names. You may not want the local DNS server to resolve all
names in the domain name to the local address.
For example, if you host only a website named www.domain.com locally, but
the rest of the hosts in domain.com reside externally and are resolved by an
externally hosted DNS server. The way you work around this so that your DNS
server only resolves the www.domain.com name to the local address and all
other requests in domain.com are forwarded to external DNS servers for
resolution is to create a forward lookup zone named www.domain.com then add
a new host record leaving the name field blank, then give it the local IP of
the web server.




--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: sys vol check
    ... instead of the local DNS server and two ISP DNS servers. ... I need to configure the DHCP to use all three internal DNS servers ... If DNS zones are AD Integrated are writtable. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Connection Filtering rejects all of the mail as on the Block list
    ... It's the DNS you're using that's different. ... resolve get filtered and ones that don't resolve go through. ... requests all returned requests, all of the mail was rejected. ... The DNS servers I had specified on the server having the issue ...
    (microsoft.public.exchange.admin)
  • RE: Cannot resolve download.microsoft.com
    ... can you resolve any other websites for example www.google.co.uk? ... What do your servers have set as their dns servers in the network card tcp/ip ... timeout was 2 seconds. ...
    (microsoft.public.windows.server.dns)
  • Re: sys vol check
    ... You've 3 DC DNS servers one in each Site with different subnets. ... You've A forward lookup Zone named CORP.DLECINC.COM and a reverse lookup ... The clients should use only their local DNSserver in ther NIC ...
    (microsoft.public.windows.server.active_directory)
  • Re: Dns Server Request Throttling
    ... > pace although this is spread over many dns servers. ... > I know that dns servers in general will throttle requests from unique ip ...
    (microsoft.public.win2000.dns)