DNS client setting in the DNS servers behind firewall

J

Joe

I have pri & sec DNS w/o AD & not DC just the standalone servers.

1. In their NICs, for pri & alternate DNS setting...do I have to use:

pri: Primary DNS IP
alternate: Secondary DNS IP
for PRI & SEC DNS servers?

Or something else?

2. Other thing, these DNS behind firewall so there are NAT/internal IPs &
public IPs.
Which one do I have to use in the pri & alternate DNS setting (in TCP/IP
properties) ??

3. If let say both of the DNS has dual homed, so the pri & alternate DNS
setting (in TCP/IP properties)

Internal NIC:
- Pri: LAN/internal NIC IP (public IP)
- Alternate: empty

External NIC:
- Pri: LAN/internal NIC IP (public IP)
- Alternate: empty
with forwarder to ISP DNS IP

is that correct?

Please correct me if I am wrong.

Rgds,
John
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Joe said:
I have pri & sec DNS w/o AD & not DC just the standalone
servers.

1. In their NICs, for pri & alternate DNS setting...do I
have to use:

pri: Primary DNS IP
alternate: Secondary DNS IP
for PRI & SEC DNS servers?

It makes no difference if Dynamic DNS is not being used.
Or something else?

2. Other thing, these DNS behind firewall so there are
NAT/internal IPs & public IPs.
Which one do I have to use in the pri & alternate DNS
setting (in TCP/IP properties) ??

Are the DNS servers you are referring to hosting Public zones for public
domains?
If they are and you are behind NAT you cannot use either of these DNS
servers for your local Network DNS resolution because being behind NAT all
your servers will need to be accessed by their private IP addresses.
3. If let say both of the DNS has dual homed, so the pri
& alternate DNS setting (in TCP/IP properties)

As long as AD is not in use and Dynamic DNS is not in use multi-homing has
no affect, but as I said if these two DNS servers are for public use they
won't resolve local machines. You need a third DNS server for local
resolution.

You could make one DNS server for local resolution and the other for public
resolution, in that case, all your local machines must point to the DNS
server that has the records for the local network, and NAT incoming DNS
requests to the DNS server that has the public records. Do not attempt to
make MS DNS act as dual role resolving both internal names and public names
on the same DNS server. If you publish private records in a public zone DNS
resolution will be inconsistent, at best.
 
J

Joe

Oh ya....do I need to fill in "DNS suffix for this connection" ?
how about "register this...." & "use the connection..."
Do I also has to set the same setting for both of the NIC (dual homed DNS)?

Joe
 
J

Joe

Kevin D. Goodknecht Sr. said:
In

It makes no difference if Dynamic DNS is not being used.

My point is do I have to put just
pri: Primary DNS IP
alternate: Secondary DNS IP
OR
pri: Primary DNS IP
alternate: blank
OR
it doesn't matter

As per #2
So the IP address I put it in should be private IP or public IP of that DNS
servers itself? both of pri & alternate need to fill in?
Are the DNS servers you are referring to hosting Public zones for public
domains?
Yes, these servers just for public domain only not local query.
If they are and you are behind NAT you cannot use either of these DNS
servers for your local Network DNS resolution because being behind NAT all
your servers will need to be accessed by their private IP addresses.

4. For other servers in our servers farm which hosting the websites for the
domains that have zone files in these pri & sec DNS, the DNS client setting
need to use ISP DNS not our pri & sec DNS then, is it correct?
Or that's ok if we use public IP of these DNS ??
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Joe said:
Oh ya....do I need to fill in "DNS suffix for this
connection" ?
how about "register this...." & "use the connection..."
Do I also has to set the same setting for both of the NIC
(dual homed DNS)?

You would need to clarify, the use of the DNS servers.
Are the zones for public zones for public users?
or
Are the zones for internal users resolving local resources?
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Joe said:
"Kevin D. Goodknecht Sr. [MVP]" <[email protected]>
wrote in message


My point is do I have to put just
pri: Primary DNS IP
alternate: Secondary DNS IP
OR
pri: Primary DNS IP
alternate: blank
OR
it doesn't matter

It does not matter as long as the DNS server is for the local network.
As per #2
So the IP address I put it in should be private IP or
public IP of that DNS servers itself? both of pri &
alternate need to fill in?

Use the Private IP in the NIC

4. For other servers in our servers farm which hosting
the websites for the domains that have zone files in
these pri & sec DNS, the DNS client setting need to use
ISP DNS not our pri & sec DNS then, is it correct?
Or that's ok if we use public IP of these DNS ??

I think you are confusing the issue, the issue is are your DNS servers for
use as Authoritative zones for public domains?
All the machines in your "farm" must use a local DNS server in their NICs
that have zones publishing private records so the machines can "talk" to
each other. These machines will not be able to communicate with each other
or access the sites on them using DNS data that is intended for public use.
IOW, they cannot communicate using the public IP addresses, the machines
themselves can only use local addresses.
 
J

Joe

Zone public for public user

Joe


Kevin D. Goodknecht Sr. said:
In

You would need to clarify, the use of the DNS servers.
Are the zones for public zones for public users?
or
Are the zones for internal users resolving local resources?
 
K

Kevin D. Goodknecht Sr. [MVP]

In
Joe said:
Zone public for public user

Thank you for clarifying that, You should not use the public DNS servers in
the NIC of any machine on the local network. The zone on the public servers
are fine if your outside on the internet, but they are useless for the
machines on the local network, that can't use the data in them because the
IP addresses are public IP addresses unless you actually have the public
addresses on the machines.
You need at least one DNS server for these machines to use for DNS that _no_
public users has access to. That DNS server must publish IP addresses the
machines can use to communicate with.
 
J

Joe

No, the pri DNS servers are using for hosting public domain, but because
originally this server has dual NIC (the other one to 'bridge'/connect to
other network, because orig this server has VPN install even now).
The sec DNS servers are using for hosting public domain also, but because
originally this server has dual NIC (the other one to 'bridge'/connect to
other network, because this server has used also for backup all the servers
in different network even now).
Probably not too good design but no choice because no server available,
except the VPN server move to Backup server(sec DNS, dual NIC), so the pri
DNS will have single NIC.

Joe


"Ace Fekay [MVP]"
 
A

Ace Fekay [MVP]

In
Joe said:
No, the pri DNS servers are using for hosting public domain, but
because originally this server has dual NIC (the other one to
'bridge'/connect to other network, because orig this server has VPN
install even now).
The sec DNS servers are using for hosting public domain also, but
because originally this server has dual NIC (the other one to
'bridge'/connect to other network, because this server has used also
for backup all the servers in different network even now).
Probably not too good design but no choice because no server
available, except the VPN server move to Backup server(sec DNS, dual
NIC), so the pri DNS will have single NIC.

Joe


"Ace Fekay [MVP]"

I see. Well, sometimes its easier to have a clean and streamlined design.
When going against the grain, especailly on a DC/DNS server, it complicates
it and makes it a bit difficult to tech support it. Usually recommend to use
a plain old member server for this. I can understand if there is politics
involved, even though politics has no room in a technical environment.

Cheers!
:)

Ace
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top