Internet - Intranet DNS

[Microsoft News]

Hello,

This is my problem:

I want to setup the following DNS configuration:

1. One DNS (DNS1) to resolve Internet host names

2. Another DNS (DNS2) to resolve Intranet names

3. Clients with:

Preferred DNS Server: DNS1

Alternate DNS Server: DNS2

Then when a client try to resolve a Internet host name it will be resolve by
DNS1 if the client try to resolve an Intranet host name, and as DNS1 can't
resolve it, it will be resolve by DNS2.

I have set up this scenario but does not work. Could someone help me?

 

[Danny Sanders]

Actually you might want to consider setting them both up as AD integrated
DNS.
See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000

This will resolve everything on your AD domain.


For Internet access configure forwarders and list your ISP's DNS server as
the forwarder.
See:
How to: Configure DNS for Internet Access In Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202



Everything it can't resolve will get forwarded to your ISP's DNS servers.





hth

DDS W 2k MVP MCSE

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hello,

This is my problem:

I want to setup the following DNS configuration:

1. One DNS (DNS1) to resolve Internet host names

2. Another DNS (DNS2) to resolve Intranet names

3. Clients with:

Preferred DNS Server: DNS1

Alternate DNS Server: DNS2

Then when a client try to resolve a Internet host name it
will be resolve by DNS1 if the client try to resolve an
Intranet host name, and as DNS1 can't resolve it, it will
be resolve by DNS2.

I have set up this scenario but does not work. Could
someone help me?

That is not exactly how the resolver works, and you can't configure it this
way. If DNS1 does not answer within 1 second it queries DNS1 and DNS2, if
either answers with either a positive or negative answer the query stops.
Whichever DNS answers first is moved to the preferred position until TCP/IP
is reset.

All DNS servers in your NIC must be able to answer all queries, you cannot
have one resolving internal and one resolving external. BOTH must be able to
resolve BOTH internal _AND_ external.

 

[Jeff Cochran]

This is my problem:

I want to setup the following DNS configuration:

1. One DNS (DNS1) to resolve Internet host names

2. Another DNS (DNS2) to resolve Intranet names

3. Clients with:

Preferred DNS Server: DNS1

Alternate DNS Server: DNS2

Then when a client try to resolve a Internet host name it will be resolve by
DNS1 if the client try to resolve an Intranet host name, and as DNS1 can't
resolve it, it will be resolve by DNS2.

I have set up this scenario but does not work. Could someone help me?

Change your scenario. ALL clients point only to DNS1. DNS1 forwards
to DNS2.

Jeff

 

[Microsoft News]

Thanks all for your answers.

What happen is that our security police restrict that kind of configuration
(forwarding), then the Internal DNS (DNS2) must not resolve Internet host
names.

Someone tell me that I can resolve this problem installing a Proxy (ISA)
server that handles the DNS request for Internet names.

Do you know something about it?

Thanks

 

[Ace Fekay [MVP]]

In

Thanks all for your answers.

What happen is that our security police restrict that kind of
configuration (forwarding), then the Internal DNS (DNS2) must not
resolve Internet host names.

Someone tell me that I can resolve this problem installing a Proxy
(ISA) server that handles the DNS request for Internet names.

Do you know something about it?

Thanks

If your policy doesn't allow internal DNS resolving Internet names, your
best bet is ISA. Do keep in mind, when a forwarder is configured, its still
protected from the Internet since it is not handling queries outside of the
network's scope, rather its sending the query to your ISP's DNS and the
answer is returning from that machine.

Here's more info on ISA. ISA is a separate topic in itself.
http://www.microsoft.com/isaserver/

Microsoft Internet Security and Acceleration (ISA) Server- An Overview of
Feature Pack 1- Thursday, February 20, 2003:
http://support.microsoft.com/default.aspx?kbid=813774

If you like to learn more about it, I can suggest to post to the ISA
newsgroup with specific questions.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

MN> I want to setup the following DNS configuration:

You want to do something that won't work.

MN> 1. One DNS (DNS1) to resolve Internet host names
MN> 2. Another DNS (DNS2) to resolve Intranet names
MN> 3. Clients with:
MN> Preferred DNS Server: DNS1
MN> Alternate DNS Server: DNS2

Instead, configure your clients to use only DNS2, and have DNS2 capable of
resolving queries for both "internal" and "external" names (either by
performing query resolution itself or by forwarding queries for "external"
names on to DNS1).

 

[Jonathan de Boyne Pollard]

MN> [...] our security police restrict that kind of
MN> configuration (forwarding) [...]

For a concrete reason? Or because they don't understand it?

MN> then the Internal DNS (DNS2) must not resolve
MN> Internet host names.

I'm leaning towards the "Your 'security police' don't understand the DNS."
hypothesis, upon reading this.

If you want your machines to be capable of using both "internal" and
"external" domain names, then some DNS server somewhere *must* be capable
of handling both sets of names. The splitting in "split horizon" DNS
service is *always* done on a DNS server somewhere. It cannot be done on
DNS clients because no DNS client (that I know of) has the capability
for doing it.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html>