D
Dana G.
My problem is basically regarding DNS precedence and the
possibility of implementing a sort of DNS proxy. I will
first give detail of my network layout. This is a very
small and simple network, comprised of one W2K server, and
one W2K professional client.
First off, I am using a DSL router to perform NAT
translation to my internal network. The DSL is configured
as a relay agent to forward DHCP requests to a Windows
2000 DHCP server at 192.168.1.1. For the W2K DHCP server,
the address are assigned from 192.168.1.2..192.168.1.253.
The NAT router (a physical DSL modem), or my gateway, is
using 192.168.1.254 as its internal address. For the DHCP
scope options stored on my W2K server, I have one router,
and 2 DNS servers setup. For the router, I entered the IP
192.168.1.254, or LAN address for my router. For the DNS
servers, I put 192.168.1.1 (the PDC with the DNS service
installed) and 206.141.192.60 for the DNS server. The
206.141.192.60 DNS server is owned by my ISP, and is not
on my internal network.
When I do an ipconfig /renew, then an ipconfig /all, both
DNS servers as well as the gateway are configured for the
device. Here's where things get kind of weird.
Obviously, the order in which you enter the DNS servers
makes a difference. If I put the DNS server for my PDC
(192.168.1.1) first, all internal UNC pathnames can be
resolved. I.E. if I go to run, and type \\nucleus, I can
see all of the shares hosted on nucleus. However, when I
go to use the Internet, hosts outside of my LAN cannot be
resolved, but they can still be pinged (I resolved the
address from another location). Now, if I go back into
the scope of the DHCP server and put my ISP's DNS server
first and the DNS server of my PDC second, then do
ipconfig /renew, the reverse happens; I can resolve hosts
outside my LAN, but not ones on the inside.
I thought that the whole reason for having the ability to
hold more than one DNS server in the scope properties was
to be able to say "hey, if you can't resolve the hostname
from this DNS server, try the next one". It seems that I
can only resolve either hosts on my internal network, or
hosts on the Internet; not both concurrently.
I am wondering if there is a sort of catch-all for the DNS
service to kind of say "if we can't resolve this from the
local host tables, we'll try asking another DNS server."
From what I can gather, and excuse my terminology, this
would be a "default forward lookup zone"; please let me
know if I am wrong here. Basically, I want the DNS server
on my W2K server to act as a DNS proxy to my ISP's DNS
server if the particular request cannot be resolved.
I know that something like this can be done by enabling
NAT translation or ICS, however I have some concerns
regarding this. Primarily, I do not want to give my W2K
server a real IP address (for security reasons). I would
much rather have the DSL router be performing the only NAT
translation on the network. Can you stack NAT
translations on top of each other? (i.e. have the W2K box
performing NAT on an internal IP mapped to a NAT-enabled
router?). I'm really stuck and would like any input
anybody could provide. Thanks in advance
possibility of implementing a sort of DNS proxy. I will
first give detail of my network layout. This is a very
small and simple network, comprised of one W2K server, and
one W2K professional client.
First off, I am using a DSL router to perform NAT
translation to my internal network. The DSL is configured
as a relay agent to forward DHCP requests to a Windows
2000 DHCP server at 192.168.1.1. For the W2K DHCP server,
the address are assigned from 192.168.1.2..192.168.1.253.
The NAT router (a physical DSL modem), or my gateway, is
using 192.168.1.254 as its internal address. For the DHCP
scope options stored on my W2K server, I have one router,
and 2 DNS servers setup. For the router, I entered the IP
192.168.1.254, or LAN address for my router. For the DNS
servers, I put 192.168.1.1 (the PDC with the DNS service
installed) and 206.141.192.60 for the DNS server. The
206.141.192.60 DNS server is owned by my ISP, and is not
on my internal network.
When I do an ipconfig /renew, then an ipconfig /all, both
DNS servers as well as the gateway are configured for the
device. Here's where things get kind of weird.
Obviously, the order in which you enter the DNS servers
makes a difference. If I put the DNS server for my PDC
(192.168.1.1) first, all internal UNC pathnames can be
resolved. I.E. if I go to run, and type \\nucleus, I can
see all of the shares hosted on nucleus. However, when I
go to use the Internet, hosts outside of my LAN cannot be
resolved, but they can still be pinged (I resolved the
address from another location). Now, if I go back into
the scope of the DHCP server and put my ISP's DNS server
first and the DNS server of my PDC second, then do
ipconfig /renew, the reverse happens; I can resolve hosts
outside my LAN, but not ones on the inside.
I thought that the whole reason for having the ability to
hold more than one DNS server in the scope properties was
to be able to say "hey, if you can't resolve the hostname
from this DNS server, try the next one". It seems that I
can only resolve either hosts on my internal network, or
hosts on the Internet; not both concurrently.
I am wondering if there is a sort of catch-all for the DNS
service to kind of say "if we can't resolve this from the
local host tables, we'll try asking another DNS server."
From what I can gather, and excuse my terminology, this
would be a "default forward lookup zone"; please let me
know if I am wrong here. Basically, I want the DNS server
on my W2K server to act as a DNS proxy to my ISP's DNS
server if the particular request cannot be resolved.
I know that something like this can be done by enabling
NAT translation or ICS, however I have some concerns
regarding this. Primarily, I do not want to give my W2K
server a real IP address (for security reasons). I would
much rather have the DSL router be performing the only NAT
translation on the network. Can you stack NAT
translations on top of each other? (i.e. have the W2K box
performing NAT on an internal IP mapped to a NAT-enabled
router?). I'm really stuck and would like any input
anybody could provide. Thanks in advance