Root Hints or forwarders?

G

Guest

Hi

I have 2 DNS servers AD integrated authoratitive for the internal DNS zone
only, I also have 2 external DNS servers on our DMZ as primary/secondary for
our internet facing zones.

I want to keep the internal DNS servers from querying anything other than
the 2 DMZ based DNS servers when looking up external hostnames.

I also want the 2 DMZ DNS servers to only query our ISPs DNS servers when
they do lookups.

What is the best way to do this? Forwarders or replacing the root hints,
should I turn off recursion on the servers anywhere?

Thanks for any help.

M
 
H

Herb Martin

Forwarders. said:
I have 2 DNS servers AD integrated authoratitive for the internal DNS zone
only, I also have 2 external DNS servers on our DMZ as primary/secondary for
our internet facing zones.

I want to keep the internal DNS servers from querying anything other than
the 2 DMZ based DNS servers when looking up external hostnames.
Click to expand...

Use Forwarders, and check "do not user recursion" on that SAME
"Forwarders" dialog page (not in advanced since that disables
forwarders TOO.)

Without that checkbox you internal servers will both forward AND
physically recurse the root.
I also want the 2 DMZ DNS servers to only query our ISPs DNS servers when
they do lookups.
Click to expand...

Good too -- you can use the ISP for forwarding, or you
can use your own external servers for that if you don't
even want your DCs going as far as the ISP.

Generally, you DCs should be firewall/filtered so they
cannot reach the Internet even if you forgot to stop such.

(You can make exceptions for places like Windows Update
OR you can just run an Internal SUS server for there updates.)
What is the best way to do this? Forwarders or replacing the root hints,
should I turn off recursion on the servers anywhere?
Click to expand...

Forwarders. (and check the do not use recursion, making it unnecessary
to mess with the root hints.)
 
G

Guest

Hi

You say to use forwarders but on which servers the internal or DMZ? Which
should have "do not use recursion" set? Internal or DMZ?

Thanks

M
 
H

Herb Martin

huff-n-puff said:
Hi

You say to use forwarders but on which servers the internal or DMZ? Which
should have "do not use recursion" set? Internal or DMZ?
Click to expand...

Both (sets) probably. But you asked about the Internal servers
primarily so the answer was largely focused on those and did
indicate doing it on both.

Use the forwarding tab on the INTERNAL DNS server properties,
and set the forwarder (external server, either the DMZ or the ISP
as appropriate but I vote for DMZ) and on that same tab set the
"do not use recursion" so that the DNS server will NOT use both
methods.

You might wish to do the same on the DMZ DNS servers but here
you would definitely use the ISP.

Just be sure to AVOID the "disable recursion" check box in the
ADVANCED property sheet as it turns off BOTH forwarding and
recursion. (They changed this dialog in Win2003 to avoid the
confusion.)
 
H

Herb Martin

Lee said:
My vote is to set to internal forwarding to the ISP and never the dmz.
Click to expand...

Why don't you give some reasons and such for that opinion....

Setting it to the DMZ machines means that you internal DNS
servers (especially DC-AD Integrated DNS servers) can
be prevented from going outside AT ALL.

Although it might make as much or more sense to use a
caching only DNS server on the INSIDE firewall (that's
what I do), this element was not mentioned in the scenario
he proposed.
 
J

Jonathan de Boyne Pollard

I want to keep the internal DNS servers from querying anything other than the 2 DMZ based DNS servers when looking up external hostnames.

I also want the 2 DMZ DNS servers to only query our ISPs DNS servers when they do lookups.
You want to do something which is a bad idea.  Your publically accessible DNS servers should provide only content DNS service.  They shouldn't provide promiscuous proxy DNS service to the whole of Internet, as you want them to.  You shouldn't provide promiscuous proxy DNS service any more than you should provide promiscuous proxy HTTP service or "open" SMTP Relay service.  So configure your two "DMZ" DNS servers to provide content DNS service; and configure your "internal" DNS servers to provide proxy DNS service. 

Also note what those answers say about how to decide whether it is in fact appropriate to forward queries from your "internal" DNS servers to your ISP's proxy DNS servers.
 
J

Jonathan de Boyne Pollard

My vote is to set to internal forwarding to the ISP and never the dmz. Why don't you give some reasons and such for that opinion.... One of the reasons that he could give, as set forth in my other post, is that the "DMZ" DNS server will, if properly configured for a publically accessible rôle such as he describes, not be providing proxy DNS service at all, so forwarding to it simply won't work.
Setting it to the DMZ machines means that you internal DNS servers [...] can be prevented from going outside AT ALL.
That's not strictly true, as they still have to "go outside" to communicate with the "DMZ" DNS servers.  The hole in the firewall for the latter is not that much smaller than the hole in the firewall for having them perform query resolution themselves.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New to DNS Admin - Root-hints & IMCP packets 2
Internal vs External DNS 3
DNS + Forwarders 10
DNS excessive traffic root hints 6
Forwarding verse Root Hints 4
DNS Forwarders vs. Root Hints 10
Question on DNS Forwarders 7
root hints and forwarders 8

Top