(E-Mail Removed) wrote:
> We have Active Directory with 5000 users, and every Domain Controller
> is a DNS server as well. To allow resolving external DNS adresses
> there are two options:
>
> 1. Open outbound TCP/UDP 53 connections from the domain controllers
> toward the Internet.
>
> 2. Use an intermediate forwarder DNS servers
It depends on how well you trust your intermediate forwarder.
Some firewalls also support being a DNS proxy, if that is the case you could
use the firewall as the forwarder.
> 1. Pros and Cons for a direct connection
>
> + Simplier solution
> + No additional hardware/software required
> + No risk of hijacking external DNS resolution by a hacker
> 2. Pros and Cons for a connection via forwarder
The Pros for using a forwarder is that it gets its responses directly back
from the forwarder taking advantage of getting records that have been cached
on the forwarder.
The cons are pretty much covered in your statement below.
>
> Same points in reverse order.
>
> An additionnal Con point for the forwarder - if someone take control
> over the DNS forwarder (ISP's one or our own forwarder) it is possible
> to hijack and manipulate all the external DNS requests, redirect
> trafic, sniff it etc. So, if I go with forwarder, it would be
> necessary to put it into a separate DMZ that is not exposed to inbound
> connections.
>
> What would you recommend?
Keep as much authority as you can on the local DNS by using a delegated root
zone, the cons to this is that it increases the Administrative tasks with
keeping the delegated root updated.
It is possible to use a secondary delegated root zone getting a zone
transfer from the root servers themselves. IIRC, you can get a zone transfer
from any of them but the A root server.
Your DNS will have authority over that root, and get authoritative answers
from the TLD servers. Your DNS will build up its own cache of authoritative
NS records and your DNS will get its answers using the cached NS records.
Since the root server and TLD servers don't support recursion, you will only
have to worry about getting bad answers from the Authoritative servers for
the domain.
Someone would have to take control over the authoritative DNS servers for
the domain you are resolving because you have control over your own root
zone that uses its own delegations for TLDs it resolves.
294906 - How to Delegate All Internet Top-Level Domains on an Internal Root
DNS Server
http://support.microsoft.com/default...294906&sd=RMVP
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Similar Threads
