Re: DNS design questions

"Travis Montgomery" <tmontgomery_removethis_@xxxxxxxx> wrote in message
news:OTo3h2CzGHA.4816@xxxxxxxxxxxxxxxxxxxxxxx
Good Morning,

We're currently at the beginning of an eDir to AD migration. We currently
run DNS on linux. We've created our AD structure and enabled a DNS zone
for our AD domain. Now we'd like to move our public DNS server to
Windows.

That's perfectly fine technically but notice that it is a REALLY POOR
practice to use an INTERNAL DNS server (containing sensitive information
and generally a sensitive box itself) for EXTERNAL DNS.

I'm debating whether or not to integrate our public DNS records with AD.
I very much like the benefits of having DNS stored and replicated in AD
however I'm concerned about exposing one of our DCs to the general public
(this is a medium size college campus).

You should be; don't do this. Separate DNS for external and internal
DNS purposes -- this should MOST of the time be true even in Linux
(except that AD is much more likely to contain private info.)

Generally, all but the largest companies should put their PUBLIC DNS
BACK at the REGISTRAR.

I was thinking about integrating DNS on our two Domain controllers then
having one member server, totally dedicated to DNS, run a secondary copy
of the zone and having it exposed to the internet.

Ok, but why would you wish to expose all of the private information
kept in a DNS zone supporting AD to the Internet?

Two main strategies are this:

1) Use an ENTIRELY different DNS zone for your internal domain

2) Use "shadow DNS" (aka "split DNS") with the same zone name
internally and externally on the two distinct (sets of) DNS
Server(s).

As far as the "world" is concerned, this would be our primary DNS server.
Would this work?

Yes, but it is a poor practice. (See above.)

Is it overkill? Is there an issue with exposing one of our DCs to the
internet for DNS services? If so, what is the best way to mitigate those
risks?

And yes, you do NOT want to expose a DC to the Internet (at least
not one that runs your internal business -- there are limited exceptions
for those who actually use AD for external customer accounts etc. but
in those case they would NOT mix the internal AD with the external
or customer AD.)

Put your DNS for public services back at the REGISTRAR where
it generally belongs.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks,

Travis


.

Relevant Pages

  • Re: Changing ISPs Hows my checklist?
    ... internet the process would be: ... obviously not connected to my SBS server. ... A DNS host, yes..... ... I generally prefer to avoid having an ISP host my public DNS. ...
    (microsoft.public.windows.server.sbs)
  • Re: dns forward
    ... the problem iam my own registrar and windows 2003 acts at my own name server ... the win 2003 is direct connect to internet true a wan fiber thats in bridge ... public DNS and internal DNS in the same zone on the same server. ...
    (microsoft.public.windows.server.dns)
  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... Both NICs should point to his internal IP for DNS. ... You should give your SBS a fixed external address so you can forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: How do my server 2003 (DNS) know the Internet?
    ... The Multihomed function is not for Internet access. ... has an ip of 156.40.10.10 for that network. ... It is due to a number of reasons, mainly DNS registration of both NICs, whereas you do not want that. ... It's highly recommended to single home all DCs and use a non-DC for the multihoming purposes. ...
    (microsoft.public.windows.server.dns)