Best practices for public DNS server

[Guest]

Is there a "best practices" or some type of configuration guide to setting up
w2k to be a public DNS server?

I get internal DNS servers. What I'm looking for is what to look out for,
or do differently with a DNS server that is exposed to the general internet
from a configuration standpoint.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Is there a "best practices" or some type of configuration
guide to setting up w2k to be a public DNS server?

I get internal DNS servers. What I'm looking for is what
to look out for, or do differently with a DNS server that
is exposed to the general internet from a configuration
standpoint.

If the DNS is strictly for Authoritative use and does not require for it to
resolve other names on the internet, disable recursion (Advanced
tab)(recommended)

UDP & TCP 53 open and forwarded to the DNS server's address.

Its zones must publish only publicly resolvable names for it NS and SOA
records and of course, its host and CNAME records. MX records must point to
"A" host records(no CNAMES)

All its records must publish only Public IP addresses.

There may be more, but this is the high points.

 

[Herb Martin]

Is there a "best practices" or some type of configuration guide to setting up
w2k to be a public DNS server?

The following SHOULD be a best practice for all but
the largest companies (in terms of Internet presence):

Leave your External DNS at the Registrar.

I get internal DNS servers. What I'm looking for is what to look out for,
or do differently with a DNS server that is exposed to the general internet
from a configuration standpoint.

Avoid all this by using someone like GoDaddy.com or Register.com

They have 24-7 staffs to maintain their fault tolerant
servers near the backbone and you already pay for
the DNS service when you register the name so it is
essentially free.

Run your own internal DNS, but let the registrar handle
your public zone DNS servers.

 

[Guest]

The following SHOULD be a best practice for all but
the largest companies (in terms of Internet presence):

Leave your External DNS at the Registrar.


Avoid all this by using someone like GoDaddy.com or Register.com

They have 24-7 staffs to maintain their fault tolerant
servers near the backbone and you already pay for
the DNS service when you register the name so it is
essentially free.

Run your own internal DNS, but let the registrar handle
your public zone DNS servers.

I'll agree to a point, but this isn't for my companies main web site, it's
for a test domain, and it's a hassle to keep calling the ISP to make changes,
so I'm going to take control of it myself.

It's odd that MS wouldn't have something on the site. I can find plenty of
guides and articals for setting up internal DNS, but nothing on specifically
on public DNS.

 

[Herb Martin]

Avoid all this by using someone like GoDaddy.com or Register.com

I'll agree to a point, but this isn't for my companies main web site, it's
for a test domain, and it's a hassle to keep calling the ISP to make changes,
so I'm going to take control of it myself.

I NEVER indicated "ISP" but said specifically the Registrar.

And without going into detail I meant those Registrars which
provide a web interface where you can make the changes yourself.

Most (many) ISPs do not provide such services and you are
much more likely to switch ISPs than to need to switch
Registrars.

Put it at the Registrar. Not your Server nor the ISP.

It's odd that MS wouldn't have something on the site. I can find plenty of
guides and articals for setting up internal DNS, but nothing on specifically
on public DNS.

It's not really an MS specific issue -- nor does it really affect
the domains etc.

Only the largest (in terms of Internet presence) companies
should even attempt their own DNS for external zones.

E.g., Microsoft (themselves), Amazon, LandsEnd and such.

 

[Ryan Hanisco]

Herb is right -- leaving this with the registrar is the best idea and I
can't think of any of them that do not allow you to change your records over
the web. Get this away from your ISP.

If you do decide to run your own...
1. Remember you MUST have two DNS servers which are usually dedicated to the
task
2. Tighten your Firewall/ Routing rules to allow only DNS to these boxes
3. Do not run a web server or FTP server on these as the DOS risk is very
high.
4. Consider running BIND <gasp> on LINUX/ BSD <gasp>
5. If you have any doubts or feel that you don't have a full handle on the
risks you're exposing your organization to, don't do it. The pain of calling
your ISP is nothing compared to a DOS attack on your DNS servers or domain
redirect.

 

[Guest]

If this is a Test site... will you actually have these on a DMZ with public
access?

If so, initially KISS- keep it very simple... use a primary w/ masters and
restric others from pulling zones and updates.

Your firewall can protect you from most of your DOS of other services if you
can set your QoS and connections per host.

Then use http://www.dnsreport.com to querey your public DNS servers. They
do a good job of detailing any issues and explaining what changes you need to
make.