Re: DNS design questions

Tech-Archive recommends: Fix windows errors by optimizing your registry

"Travis Montgomery" <tmontgomery_removethis_@xxxxxxxx> wrote in message
news:Ojb3zPEzGHA.4452@xxxxxxxxxxxxxxxxxxxxxxx
Sorry, I think we're on the same page. I do have an entirely separate
zone for our public DNS. I'd like our internal servers to have a copy of
it

That is perfectly reasonable. Merely make the internal DNS
server a "Secondary" to the external server(s).

(preferably in AD if possible).

That makes the AD-DNS (effectively) the Primary, or "Master"
of the zone. There is nothing particularly wrong with this, but
what is the advantage? (Hint: There is almost none if any.)

My thinking was that I'd have a dedicated flat file DNS server that pulls
the public zone off the DC as a secondary copy. This server would only
have a copy of the public zone and would be the only one exposed to the
internet (sorry I didn't make that clear in my post). So, do I have that
right or am I still missing something?

That will work, but you are still not considering just putting the
public zone back at the Registrar where it most effectively belongs
for most companies.

With the way caching works, there is almost no advantage to
have the external zone in AD on your internal servers -- and for
no advantage you have to do the extra setup including letting
(vulnerable) external servers maintain contact with internal
(sensitive) DCs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


thanks,

Travis

Herb Martin wrote:
"Travis Montgomery" <tmontgomery_removethis_@xxxxxxxx> wrote in message
news:OTo3h2CzGHA.4816@xxxxxxxxxxxxxxxxxxxxxxx
Good Morning,

We're currently at the beginning of an eDir to AD migration. We
currently run DNS on linux. We've created our AD structure and enabled
a DNS zone for our AD domain. Now we'd like to move our public DNS
server to Windows.

That's perfectly fine technically but notice that it is a REALLY POOR
practice to use an INTERNAL DNS server (containing sensitive information
and generally a sensitive box itself) for EXTERNAL DNS.

I'm debating whether or not to integrate our public DNS records with AD.
I very much like the benefits of having DNS stored and replicated in AD
however I'm concerned about exposing one of our DCs to the general
public (this is a medium size college campus).

You should be; don't do this. Separate DNS for external and internal
DNS purposes -- this should MOST of the time be true even in Linux
(except that AD is much more likely to contain private info.)

Generally, all but the largest companies should put their PUBLIC DNS
BACK at the REGISTRAR.

I was thinking about integrating DNS on our two Domain controllers then
having one member server, totally dedicated to DNS, run a secondary copy
of the zone and having it exposed to the internet.

Ok, but why would you wish to expose all of the private information
kept in a DNS zone supporting AD to the Internet?

Two main strategies are this:

1) Use an ENTIRELY different DNS zone for your internal domain

2) Use "shadow DNS" (aka "split DNS") with the same zone name
internally and externally on the two distinct (sets of) DNS
Server(s).

As far as the "world" is concerned, this would be our primary DNS
server. Would this work?

Yes, but it is a poor practice. (See above.)

Is it overkill? Is there an issue with exposing one of our DCs to the
internet for DNS services? If so, what is the best way to mitigate
those risks?

And yes, you do NOT want to expose a DC to the Internet (at least
not one that runs your internal business -- there are limited exceptions
for those who actually use AD for external customer accounts etc. but
in those case they would NOT mix the internal AD with the external
or customer AD.)

Put your DNS for public services back at the REGISTRAR where
it generally belongs.


.

Relevant Pages

  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: How to use sub-domain
    ... The administrator maintains entirely separate DNS implementations (no zone ... server, or VPN server) must also be changed manually in the internal AD/DNS ... Company users accessing the network from the Internet ...
    (microsoft.public.windows.server.general)
  • Re: Event 4515 :another copy of zone has been found
    ... running on the old 2000 server. ... I then installed DNS on ... I seem to remember hearing that if you just delete/remove the zone it ... Container), the Configuration Partition, and the Schema Partition. ...
    (microsoft.public.windows.server.dns)
  • Re: Replication between parent child domains
    ... install dns before i run the dcpromo on the melbourne server. ... DNS server will forward any query it can't answer, Checks zone ...
    (microsoft.public.windows.server.active_directory)