Correct routing/DNS config for dual-homed 2000 svr

[Niall Porter]

Hi,

I'm at the end of my proverbial on this one. Can someone help?

SCENARIO:
We have a number of Win2k servers in a dual homed configuration
whereby one NIC connects to our LAN and the other to our DMZ for
serving FTP, web etc. We have two internal DNS machines and are
provided with addresses for two external DNS servers from our
connectivity provider.

I have set up the internal NIC's to use the internal DNS servers and
the external NIC's to use the external DNS. This seems to work fine
for a while (a day, few days anything up to a couple of weeks) then
suddenly the machines cannot be reached from outwith our LAN.

However, and this is the bit that strikes me as wierd, if I give the
external (DMZ connected) NIC's the INTERNAL DNS addresses, they work
fine. Very odd, because our firewall won't let DNS thru from the DMZ
to the LAN so these NIC's should not be able to contact our internal
servers for name resolution at all.

Aside from that we've done nothing special with the network config (no
static routes, no RRAS service etc). Common sense tells me that
internal NIC's should use internal DNS and external NIC's use external
DNS, or does common sense not apply to Windows 2000 server (silly
question..)?

 

[Chris Cowling]

Niall,
the hole idea of having a DMZ is that the machines exist on a
seperate subnet to your LAN. The fact you have multi-homed these machines
entirely defeats the object of having a DMZ.
Your DMZ Servers should have one NIC that is connected to your firewall
(in a three-homed configuration) or a router/hub that is connected to your
two firewalls (back-to-back configuration). Your firewall(s) should then be
configured with appropriate IP routing and IP packet filtering to allow only
specified traffic in/out of of your DMZ and LAN.

If you would like me to run you through this reply to me and i will be happy
to help.

Kind Regards

Chris Cowling, MCP

 

[Niall Porter]

Hi Chris, thanks for your reply...

Niall,
the hole idea of having a DMZ is that the machines exist on a
seperate subnet to your LAN. The fact you have multi-homed these machines
entirely defeats the object of having a DMZ.
Your DMZ Servers should have one NIC that is connected to your firewall
(in a three-homed configuration) or a router/hub that is connected to your
two firewalls (back-to-back configuration). Your firewall(s) should then be
configured with appropriate IP routing and IP packet filtering to allow only
specified traffic in/out of of your DMZ and LAN.

I appreciate having servers bridging the LAN and DMZ is not ideal, but
we simply don't have the resources to do it any other way.
Specifically, we have a requirement to run Outlook Web Access but to
have this on a separate server from the Exchange Server itself means
we'd need the Enterprise Edition of Exchange 2000 and two servers to
put it on. Doing this in 4 sites complicates matters.

Other companies must (I guess) also be forced into working this way.
It's really just help with the DNS I need. Why would DNS work for the
DMZ interfaces when they are configured to use the LAN DNS servers
when the firewall blocks DNS traffic between the LAN and the DMZ?

I can only guess that Windows is deciding to route the request not out
the DMZ interface but the LAN interface instead. Is there some way of
switching this off?

Thanks,
Niall