Re: Conditional recursive DNS - is it possible?
- From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
- Date: Sat, 21 Jan 2006 07:17:32 -0600
Vova Bazanov wrote:
> First, sorry for bad English. I have local network with AD domain and
> internal AD-integrated DNS servers, DMZ network with Windows 2003
> servers, working as external SMTP server and DNS server for itself,
> DMZ and internal DNS (internal DNS forwards all unresolved querys to
> DMZ DNS). My external DNS zone is holded now by external autority
> (ISP). I want to hold my external zone myself on my DMZ DNS servers.
> I know, what I should disable recursion for external (Internet) DNS
> servers to prevent exessive traffic and possible attacks. However, I
> need recursion enabled on it for it's own ip, all my DMZ ip's and
> local network. Is there any way to conditionnally enable/disable
> recursion on Windows server 2003 DNS by request source ip, or any
> other means to maintain recursive and non-recursive DNS on same
> server? I think, what installing additional DMZ server to work _only_
> as external DNS is too much/expensive for me :) Or I want too much?
Your request is reasonable, but you won't be able to use the servers in the
DMZ as forwarders for the internal servers.
You didn't state what roles the servers in the DMZ were going to be as to
whether they were going to be standalone servers, members of the internal
domain, DCs in the internal domain, or DCs in their own domain.
I can tell you that they *cannot* be DCs in the internal domain because the
internal zones will then replicate to them.
What ever you choose, in their TCP/IP properties, do not point them to
themselves for DNS, they should use the internal DCs for DNS, only. That
frees the DNS servers on them to host your external zones. If you don't use
them as forwarders, then you can disable recursion on them.
Even if you host your own zones, you should get an external DNS to host
secondary zones for you. e.g. I host many primary public zones, but I use a
major ISP that owns high speed, high bandwidth non-recursive DNS servers
that hosts secondary zones, at no charge, for me that gives me the best of
both worlds.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
.
- Prev by Date: Re: DNS with remote locations connected by WAN
- Next by Date: RE: Windows Server 2003 DNS behind a Cisco PIX firewall... help!
- Previous by thread: Re: DNS with remote locations connected by WAN
- Next by thread: Re: Conditional recursive DNS - is it possible?
- Index(es):
Relevant Pages
|
