AD DNS Design Problem

[Chris Wagner]

BACKGROUND

I have one root domain (local.net) and one child domain
(test.local.net). When I promoted the first domain controller in
the forest I allowed dcpromo to install DNS on the first DC in
the forest. It installed it as a root DNS server (there are no
root hints). Next I delegate the test.local.net zone to the first
domain controller for the test.local.net domain before I promoted
it to a domain controller. Each additional domain controller for
the test domain was added to the delegation. The root hints for
the test.local.net domain are the two forest root domain
controllers.

DESIGN CONCEPT

All domain controller in both domains are DNS server

All test domain controllers point to themselves for DNS
All DNS zones are AD integrated
There are four domain controller for the test domain: DC1, DC2,
DC3, DC4
DC2, DC3, and DC4 have recursion enabled and are set to forward
to DC1
DC1 (root DNS) is set to forward to an external non domain DNS
server (for internet name resolution)

PROBLEM

When I set DC1 to forward to the external DNS server replication
stops working. I receive DNS lookup errors. If I do an nslookup
on any of the domain controllers all the names resolve correctly.
It's like the DC's don't look to themselves first. Is this a
design flaw?

 

[Herb Martin]

It may be a design flaw but note that it is pretty unusual
to "forward to a DNS server in the same small namespace"
-- since everything is reachable through the "root hints"
hierarchy anyway.

Certainly in the general case this is done -- where an internal
DNS server forwards to the ISP's DNS but also does its OWN
recursion as a backup or safety measure.

On first inspection (based on your description) I cannnot find an
"infinite loop" or anything, unless DC1 is forwarding to DC1 (itself).
Don't do that. for sure.

What is the forwarding accomplishing (besides the problems you
indicate)?

 

[Chris Wagner]

Yes that is correct. Due to a lack of funds for a forward only DNS server (non
DC) that talks through the firewall to the external DNS server we made all
DC's forward to one DC which is allowed to talk to the external DNS server. We
did not want all DC's talking to an external DNS server for security reasons.
That is really one of my questions. Does this make sense? Should I just
forward all DC's to the external DNS server?

 

[Herb Martin]

Yes that is correct. Due to a lack of funds for a forward only DNS server
(non

DC) that talks through the firewall to the external DNS server we made all
DC's forward to one DC which is allowed to talk to the external DNS

server. We

You shouldn't let ANY OF THEM recurse on the Internet -- as they might
potentially need to visit and talk with EVERY machine on the net, including
BadHackers.Iq etc.

did not want all DC's talking to an external DNS server for security

reasons.

If one of them does, then you are already exposed. Put a DNS server or
relay on your firewall and point them ALL THERE.

That is really one of my questions. Does this make sense? Should I just
forward all DC's to the external DNS server?

Yes, or perhaps better forward them all to the Firewall/NAT server.
Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
NAT server (or even ICS on a Workstation can.)

This is NOT expensive -- you can start from scratch and build a machine
for less than $400 (use an old essentially free one even); you either
forward
to the ISP or get ONE machine that is not your DC/"internal DNS" to do it
and forward THOSE to the single machine.

 

[Ace Fekay [MVP]]

In

You shouldn't let ANY OF THEM recurse on the Internet -- as they might
potentially need to visit and talk with EVERY machine on the net,
including BadHackers.Iq etc.


If one of them does, then you are already exposed. Put a DNS server
or relay on your firewall and point them ALL THERE.



Yes, or perhaps better forward them all to the Firewall/NAT server.
Most of the cheap firewall/NATs can do this anyway -- Win2000 RRAS
NAT server (or even ICS on a Workstation can.)

This is NOT expensive -- you can start from scratch and build a
machine
for less than $400 (use an old essentially free one even); you either
forward
to the ISP or get ONE machine that is not your DC/"internal DNS" to
do it and forward THOSE to the single machine.

Actually, I haven't had any problems forwarding individually to an ISP's DNS
server. I haven't seen any security problems as of yet with my 3 DNS
servers.

I'm also curious, since there all have forwarders, but the original post
said that the original DC1 created was a root server, was the root zone
deleted to allow you to create a forwarder?

I've seen issues when forwarding from one server to another within the same
domain when all the servers host the same zone name. I can see forwarding
from a child to the parent when there is a delegation, but this design is
just one domain. In this case, for the most part, we just forward
individually out.

Otherwise, as you said Herb, create another inexpensive server to forward to
that is forwarding to the ISP's.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Chris Wagner]

The two DNS server for the parent domain (empty placeholder domain) are root DNS
servers. DC1, DC2, DC3, and DC4 are in the child domain and are not root DNS
servers. There is no forwarding in the root domain. The basic idea was to allow
the child domain DNS servers to resolve all test.local.net request. Recrusion on
the child DNS servers is enabled to allow all local.net name resolution and
forwarding was setup to accomplish internet name resolution. Sorry for any
confusion.

I guess the best thing to do is acquire a forward only server and forward all
DC's to this forwarding server which forwards to the external DNS server. Thanks
for all the help Ace and Herb. If there is anything more that you want to add I
am listening.

 

[Herb Martin]

Actually, I haven't had any problems forwarding individually to an ISP's
DNS

server. I haven't seen any security problems as of yet with my 3 DNS
servers.

I agree but he embedded this idea as a "security requirement" in one of
is previous posts.

Some people can actually benefit more from the "Consolitdation" by
forwarding to a single point if they have a slow WAN line -- this
consolidates the cache of EXTERNAL ENTRIES on one machine.

I'm also curious, since there all have forwarders, but the original post
said that the original DC1 created was a root server, was the root zone
deleted to allow you to create a forwarder?

You know I thought I read that too -- and of course it cannot be a ROOT
and FORWARD at the same time because the MS gui disables the forwarding
tab in the case of being a Root.

 

[Ace Fekay [MVP]]

In

The two DNS server for the parent domain (empty placeholder domain)
are root DNS servers. DC1, DC2, DC3, and DC4 are in the child domain
and are not root DNS servers. There is no forwarding in the root
domain. The basic idea was to allow the child domain DNS servers to
resolve all test.local.net request. Recrusion on the child DNS
servers is enabled to allow all local.net name resolution and
forwarding was setup to accomplish internet name resolution. Sorry
for any confusion.

I guess the best thing to do is acquire a forward only server and
forward all DC's to this forwarding server which forwards to the
external DNS server. Thanks for all the help Ace and Herb. If there
is anything more that you want to add I am listening.

That sounds like the best bet if you're concerned with security. My actual
AD's DNS server (not accessible from the Internet) is actually forwarding to
my public servers, which have access to the Internet and Internet to them
thru my firewall.

Good luck!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

I agree but he embedded this idea as a "security requirement" in one
of
is previous posts.

Some people can actually benefit more from the "Consolitdation" by
forwarding to a single point if they have a slow WAN line -- this
consolidates the cache of EXTERNAL ENTRIES on one machine.

True, I even forward to my own public server, not necessarily for security,
but for less hop distance to recurse.But the benefit, of course, is
security.

You know I thought I read that too -- and of course it cannot be a
ROOT and FORWARD at the same time because the MS gui disables the
forwarding tab in the case of being a Root.

Yeah, wasn;'t sure about that, but his latest reply straightened that out.






--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory