Re: Bringing DNS In-house
- From: Paul Bergson [MVP-DS] <pbbergs@xxxxxxxxxxxxxx>
- Date: Thu, 6 Nov 2008 13:43:39 +0000 (UTC)
Hello K,
I would handle all of you internal dns resolutions internally and those addresses that you can't resolve forward to your isp. We have an Exchange geo-cluster internally where the ttl is 5 minutes and we are looking at possibly shortening that. It is a good practice to forward all requests to your isp thereby having the ISP do all the lookup work and not expose your internal ip addresses.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
I may have not written my OP very well. I am talking about failover
on the internet feed not the hardware. Hardware is already covered.
For failover I have 2 seperate internet feeds with 2 seperate
suppliers. As a result each has different IP address ranges. This
means that when one fails, the A records pointing to my servers will
no longer be valid. That means I need to update the A records at the
ISP (as we use their name servers for our domain name). Their TTL is
4 hours - so worldwide, DNS servers will cache this I am looking at a
potential 8 hour change time.
If I bring the DNS in house, I can set a short TTL (our ISP will not
change this on their servers), and either perform a manual A record
change or run a script to do so when the primary internet link fails.
With a short TTL the DNS servers around the world who cached our
records will update quicker and therefore I can reduce the time before
requests go via the backup net link.
Hope this makes more sense in the context of my OP.
I think you need to re-analyze the situation.
I don't think what you are blaming is the problem
I don't think your solution is the solution
And I don't think DNS should have anything to do with your
"failover".
When the ISPs adds a Record it is there as soon as the mouse goes
"click". The time lag comes from other DNS Servers out in
"internet-land" because they cache the resolutions and they don't
"ask" your ISP again until their TTL runs out. There is nothing your
ISP (or you) can do about that.
Failover with servers is done through server clustering (such as
Windows NLB). You are supposed to use the NLB virtual IP# in DNS and
not the IP# of any specific machine,...then it only needs one machine
to still be alive for the Cluster to respond to a request.
I am looking to move the DNS name servers for our registered domain
name in-house away from our ISP as we are doing some resilience work
and the ISP cannot give me a better TTL than 4 hours, which is not
conducive to good failover (potential 8 hour update depending on
when we register change).
I have 2 servers in my DMZ (Server 2003 SP2) which I have installed
DNS on and have created a primary zone named domainname.com on one
and a secondary zone named domainname.com on the other with
transfers between them.
Do I need to set forwarders on these DNS servers to our ISP DNS
servers? Why or why not?
Also, when I populate this DNS with records, for example one of my
web servers in the DMZ, do I populate with the private address of
the server or the public address?
I assume the public addresses so that they are the ones handed out
in requests. But if this is the case, do I also need a CNAME for
the private address?
Apologies if these are basic questions but I have only ever worked
with DNS on private networks where resolution was internal only.
.
- References:
- Re: Bringing DNS In-house
- From: K
- Re: Bringing DNS In-house
- Prev by Date: Re: Bringing DNS In-house
- Next by Date: Re: Bringing DNS In-house
- Previous by thread: Re: Bringing DNS In-house
- Next by thread: Re: Bringing DNS In-house
- Index(es):
Relevant Pages
|
