Hi

Due to security constraints I want to move public DNS server behind firewall, for this i have to change the ip address of Public DNS server to local LAN ipaddress (eg 10.0.0.x)

If i change the IP address is DNS going to work. what will be the DNS server entries which i should give in TCP/IP
please let me know if i have to make anyother changes in DNS

Thanks in advanc
Kira

In news:C02021DD-E744-4CD8-A13E-(E-Mail Removed),
Satheesh Kiran <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Hi,
>
> Due to security constraints I want to move public DNS server behind
> firewall, for this i have to change the ip address of Public DNS
> server to local LAN ipaddress (eg 10.0.0.x).
>
> If i change the IP address is DNS going to work. what will be the
> DNS server entries which i should give in TCP/IP.
> please let me know if i have to make anyother changes in DNS.
>
> Thanks in advance
> Kiran

As long as it is still going to be only a public DNS server, and it does not
host any Active Directory or DDNS zones the only thing you need to change on
the DNS server itself is its listener address on the interfaces tab.
You will also need to open holes in the firewall for TCP & UDP port 53 and
send incoming connections on those ports to the DNS server address.

As for the records in the server zones, nothing will change, it must still
publish the same data behind the firewall as it did in front of it. DNS is
not related to the IP address it listens on, it only publishes data to
computers based on the clients view of the root it is using.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Thanks for the Reply

After changing the public IP to local lan IP, in the listen on column in DNS server properties should i point to the local LAN ip or shoud i still point to the same public IP which i was using earlier

Please let me know whether i should use the local LAN ip or the public IP in the preferred DNS servers in TCP/IP properties windo

Thanks in advanc
Kira

----- Kevin D. Goodknecht [MVP] wrote: ----

In news:C02021DD-E744-4CD8-A13E-(E-Mail Removed)
Satheesh Kiran <(E-Mail Removed)> posted a questio
Then Kevin replied below
> Hi
>> Due to security constraints I want to move public DNS server behin
> firewall, for this i have to change the ip address of Public DN
> server to local LAN ipaddress (eg 10.0.0.x)
>> If i change the IP address is DNS going to work. what will be th
> DNS server entries which i should give in TCP/IP
> please let me know if i have to make anyother changes in DNS
>> Thanks in advanc
> Kira

As long as it is still going to be only a public DNS server, and it does no
host any Active Directory or DDNS zones the only thing you need to change o
the DNS server itself is its listener address on the interfaces tab
You will also need to open holes in the firewall for TCP & UDP port 53 an
send incoming connections on those ports to the DNS server address

As for the records in the server zones, nothing will change, it must stil
publish the same data behind the firewall as it did in front of it. DNS i
not related to the IP address it listens on, it only publishes data t
computers based on the clients view of the root it is using

--
Best regards
Kevin D4 Dad Goodknecht Sr. [MVP
Hope This Help
===========================
--
When responding to posts, please "Reply to Group" via you
newsreader so that others may learn and benefit from your issue
To respond directly to me remove the nospam. from my email
=========================================
http://www.lonestaramerica.com
=========================================
Use Outlook Express?... Get OE_Quotefix
It will strip signature out and mor
http://home.in.tum.de/~jain/software/oe-quotefix
=========================================
Keep a back up of your OE settings and folders wit
OEBackup
http://www.oehelp.com/OEBackup/Default.asp
=========================================

In news:FFC82054-7D1B-4DB3-82C4-(E-Mail Removed),
Satheesh Kiran <(E-Mail Removed)> posted their thoughts, then
I offered mine
> Thanks for the Reply
>
> After changing the public IP to local lan IP, in the listen on column
> in DNS server properties should i point to the local LAN ip or shoud
> i still point to the same public IP which i was using earlier.
>
> Please let me know whether i should use the local LAN ip or the
> public IP in the preferred DNS servers in TCP/IP properties window
>
> Thanks in advance
> Kiran
>


For the NIC address (TCPIP settings), you will now need to use the private
IP.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

In news:FFC82054-7D1B-4DB3-82C4-(E-Mail Removed),
Satheesh Kiran <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Thanks for the Reply
>
> After changing the public IP to local lan IP, in the listen on column
> in DNS server properties should i point to the local LAN ip or shoud
> i still point to the same public IP which i was using earlier.
>
> Please let me know whether i should use the local LAN ip or the
> public IP in the preferred DNS servers in TCP/IP properties window
>
You didn't say any local machines were using this DNS server. This can
change things if you have any local sites and local machines using this DNS
server. Any site hosted by this DNS that has both local and public access is
going to be a problem.
Any site that is hosted locally behind the NAT device won't work with the
public address. You definitely don't want to put private records in a Public
Zone.
You can have a public DNS behind NAT as long as it does not resolve sites
and servers behind the same NAT device. For that you need two separate DNS
servers, one for the internal users and one for the external users.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Thanks for the respons

Here is my present setu

public DNS ----- Firewall ----- local domain (AD) & User System
xy.com xyhyd.co

The public DNS has our MX records & web site resolution addressess

we have a local Domain (AD) and local DNS for LAN users
The primary DNS is pointed to itself and secondary is pointed to Public DNS in TCP/IP properties
In the enable forwarders i have public DNS server entry in it.
This is my local AD and DNS setup

In the public DNS server, i have public IP assigned to this server and the primary DNS is pointing to itself in TCP/I
In the enable forwarders i have ISP DNS server entries in it

Because of security constraints i want to move public DNS inside firewall
If i move public DNS inside firewal

1. What are the ports to be opened in firewall for DN
2. what are the changes to be made in the public DNS server ( TCP/IP settings, Forwarders etc) if i am going to assign a local LAN ip for public DNS serve
3. what are the changes to be made to local DNS server

Hope this is clear

Thanks in advanc
Satheesh Kiran







----- Kevin D. Goodknecht [MVP] wrote: ----

In news:FFC82054-7D1B-4DB3-82C4-(E-Mail Removed)
Satheesh Kiran <(E-Mail Removed)> posted a questio
Then Kevin replied below
> Thanks for the Repl
>> After changing the public IP to local lan IP, in the listen on colum
> in DNS server properties should i point to the local LAN ip or shou
> i still point to the same public IP which i was using earlier
>> Please let me know whether i should use the local LAN ip or th
> public IP in the preferred DNS servers in TCP/IP properties windo

You didn't say any local machines were using this DNS server. This ca
change things if you have any local sites and local machines using this DN
server. Any site hosted by this DNS that has both local and public access i
going to be a problem
Any site that is hosted locally behind the NAT device won't work with th
public address. You definitely don't want to put private records in a Publi
Zone
You can have a public DNS behind NAT as long as it does not resolve site
and servers behind the same NAT device. For that you need two separate DN
servers, one for the internal users and one for the external users



--
Best regards
Kevin D4 Dad Goodknecht Sr. [MVP
Hope This Help
===========================
--
When responding to posts, please "Reply to Group" via you
newsreader so that others may learn and benefit from your issue
To respond directly to me remove the nospam. from my email
=========================================
http://www.lonestaramerica.com
=========================================
Use Outlook Express?... Get OE_Quotefix
It will strip signature out and mor
http://home.in.tum.de/~jain/software/oe-quotefix
=========================================
Keep a back up of your OE settings and folders wit
OEBackup
http://www.oehelp.com/OEBackup/Default.asp
=========================================

In news:A29E50C4-BB60-4802-B816-(E-Mail Removed),
Satheesh Kiran <(E-Mail Removed)> posted their thoughts, then
I offered mine
> Thanks for the response
>
> Here is my present setup
>
> public DNS ----- Firewall ----- local domain (AD) & User Systems
> xy.com xyhyd.com
>
>
> The public DNS has our MX records & web site resolution addressess.
>
> we have a local Domain (AD) and local DNS for LAN users.
> The primary DNS is pointed to itself and secondary is pointed to
> Public DNS in TCP/IP properties.

When running your own DNS servers, especially wiht AD, you should NEVER use
an ISP's or any other DNS server that doesn't host your data. Point to
yourself only and let forwarding handle it.

> In the enable forwarders i have public DNS server entry in it.

That's the only place any public/ISP DNS should be, in forwarding.

> This is my local AD and DNS setup.
>
> In the public DNS server, i have public IP assigned to this server
> and the primary DNS is pointing to itself in TCP/IP
> In the enable forwarders i have ISP DNS server entries in it.
>
>
> Because of security constraints i want to move public DNS inside
> firewall.
> If i move public DNS inside firewall
>
> 1. What are the ports to be opened in firewall for DNS

TCP/UDP 53. With NAT, you need to create a port-remap for these ports to the
internal private IP.


> 2. what are the changes to be made in the public DNS server ( TCP/IP
> settings, Forwarders etc) if i am going to assign a local LAN ip for
> public DNS server

Yes, you will assign a private IP. In the nameservers tab, ensure the public
IP remains. Do not change any public IP data for your hosts, since I'm
assuming you are not changing your servers sitting on the public side.


> 3. what are the changes to be made to local DNS server.

See #2





--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================