P
Pekka
How can I configure Windows2000/3 DNS to be a "hidden master"? Is it
possible? (I know that one can do it w Bind)
br
pekka
possible? (I know that one can do it w Bind)
br
pekka
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
A
Ace Fekay [MVP]
In
SInce I don't use BIND, not sure what it does, but assuming it hides the IP
from anyone querying a Secondary? I know that feature is not available in
Windows DNS. But if it hides the Master IP, how would a registration request
be sent to the Primary if it can't find the MNAME? Not sure if that is
something of importance to you or not (required for AD DCs).
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Pekka said:How can I configure Windows2000/3 DNS to be a "hidden master"? Is it
possible? (I know that one can do it w Bind)
br
pekka
SInce I don't use BIND, not sure what it does, but assuming it hides the IP
from anyone querying a Secondary? I know that feature is not available in
Windows DNS. But if it hides the Master IP, how would a registration request
be sent to the Primary if it can't find the MNAME? Not sure if that is
something of importance to you or not (required for AD DCs).
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
P
Pekka
Sorry for not being more specific. Basic idea of "hidden master" is
clearly explained in:
http://www.inetdaemon.com/tutorials/internet/dns/hidden_master.html
In my intranet I have AD-integrated DNS, lets call it "company.net".
Besides that I have another zone, lets call it "company.com", where I have
public WWW etc records. For record management etc purposes the master is
in company intranet and slave is in ISP's DNS server; for security reasons
the master is not allowed to be accesses from Internet. Currently my
"company.com" hidden master is in a Bind (Unix) server, but as part of
server consolidation I would like to move it to one of the W2k DNS servers
(if possible).
Performance won't be a problem, but does W2k support this kind of
configuration?
Configuration wise etc it would not be too difficult to test in a lab
environment, but it takes several server + firewall etc so that it is
fairly laborous. Thus asking advice here.
Any idea?
Pekka
clearly explained in:
http://www.inetdaemon.com/tutorials/internet/dns/hidden_master.html
In my intranet I have AD-integrated DNS, lets call it "company.net".
Besides that I have another zone, lets call it "company.com", where I have
public WWW etc records. For record management etc purposes the master is
in company intranet and slave is in ISP's DNS server; for security reasons
the master is not allowed to be accesses from Internet. Currently my
"company.com" hidden master is in a Bind (Unix) server, but as part of
server consolidation I would like to move it to one of the W2k DNS servers
(if possible).
Performance won't be a problem, but does W2k support this kind of
configuration?
Configuration wise etc it would not be too difficult to test in a lab
environment, but it takes several server + firewall etc so that it is
fairly laborous. Thus asking advice here.
Any idea?
Pekka
K
Kevin D. Goodknecht [MVP]
In
Yes it is possible.
1. Create your hidden master zone.
2. Make the zone expire at least 2 weeks or a month.
3. Create NS records only for the Secondary servers.
4. Allow zone transfers to the secondary DNS server IPs.
5. Use the notify button to the IP of the secondary servers to do a zone
transfer.
6. Create your secondary zones getting the data from the IP of the hidden
master.
If you don't use the notify feature or if the secondary servers don't
support notify, you will have to make the hidden master the Primary name
server on the SOA tab and create a host for the IP of the hidden master.
Pekka said:How can I configure Windows2000/3 DNS to be a "hidden master"? Is it
possible? (I know that one can do it w Bind)
br
pekka
Yes it is possible.
1. Create your hidden master zone.
2. Make the zone expire at least 2 weeks or a month.
3. Create NS records only for the Secondary servers.
4. Allow zone transfers to the secondary DNS server IPs.
5. Use the notify button to the IP of the secondary servers to do a zone
transfer.
6. Create your secondary zones getting the data from the IP of the hidden
master.
If you don't use the notify feature or if the secondary servers don't
support notify, you will have to make the hidden master the Primary name
server on the SOA tab and create a host for the IP of the hidden master.
A
Ace Fekay [MVP]
In
I see now what you're talking about. A hidden master is just a topology
design rather than a specific DNS setting. Yes Windows DNS supports this.
Just make the DMZ DNS server (protected from outside access) hold the
Primary zones and you would only allow zone transfers to the secondary that
will be accessed by the Internet. I usually do this myself in most cases,
just never knew it was called a "Hidden Master", even though the term does
describe it well.
No performance issues from what I see. Windows DNS can handle thousands and
thousands of zones...
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Pekka said:Sorry for not being more specific. Basic idea of "hidden master" is
clearly explained in:
http://www.inetdaemon.com/tutorials/internet/dns/hidden_master.html
In my intranet I have AD-integrated DNS, lets call it "company.net".
Besides that I have another zone, lets call it "company.com", where I
have public WWW etc records. For record management etc purposes the
master is in company intranet and slave is in ISP's DNS server; for
security reasons the master is not allowed to be accesses from
Internet. Currently my "company.com" hidden master is in a Bind
(Unix) server, but as part of server consolidation I would like to
move it to one of the W2k DNS servers (if possible).
Performance won't be a problem, but does W2k support this kind of
configuration?
Configuration wise etc it would not be too difficult to test in a lab
environment, but it takes several server + firewall etc so that it is
fairly laborous. Thus asking advice here.
Any idea?
Pekka
I see now what you're talking about. A hidden master is just a topology
design rather than a specific DNS setting. Yes Windows DNS supports this.
Just make the DMZ DNS server (protected from outside access) hold the
Primary zones and you would only allow zone transfers to the secondary that
will be accessed by the Internet. I usually do this myself in most cases,
just never knew it was called a "Hidden Master", even though the term does
describe it well.
No performance issues from what I see. Windows DNS can handle thousands and
thousands of zones...
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.