Same internal and external domain name - safe?

[Mark N.]

I seem to remember that having your NT4 internal domain name the same as
your outside domain name was not considered a safe practice. But what of
AD? It seems to make sense that your internal and external should be the
same, but something deep in my soul tells me that this is dangerous? Is
it???

Thanks,
Mark

 

[Jimmy Andersson [MVP]]

Depends on how you configure it, if you use separate servers and don't synch
records it's ok. But there are a lot of considerations, check these URLs.

Deploying W2K3 DNS:
http://www.microsoft.com/resources/...d/proddocs/en-us/sag_DNS_imp_PlanningNode.asp

Windows 2000 DNS Center:
http://www.microsoft.com/windows2000/technologies/communications/dns/default.asp

Split-brain configuration of DNS:
http://www.microsoft.com/serviceproviders/whitepapers/split_dns.asp

Regards,
/Jimmy

 

[Mark N.]

Depends on how you configure it, if you use separate servers and don't
synch

records it's ok. But there are a lot of considerations, check these URLs.

Deploying W2K3 DNS:
http://www.microsoft.com/resources/...d/proddocs/en-us/sag_DNS_imp_PlanningNode.asp

Windows 2000 DNS Center:
http://www.microsoft.com/windows2000/technologies/communications/dns/default.asp

Split-brain configuration of DNS:
http://www.microsoft.com/serviceproviders/whitepapers/split_dns.asp

Regards,
/Jimmy

Our external domain is hosted on a Win2K server in our DMZ. Right now, our
NT4 internal domain name is something generic and not the same as our
external/website domain. I would keep the internal domain name something
different from the external if I was certain that this wouldn't cause me
trouble in the future. We're a small company with only 65 local employees
in one building. I want to make this upgrade as simple as possible.

Thanks,
Mark

 

[Enkidu]

Our external domain is hosted on a Win2K server in our DMZ. Right now, our
NT4 internal domain name is something generic and not the same as our
external/website domain. I would keep the internal domain name something
different from the external if I was certain that this wouldn't cause me
trouble in the future. We're a small company with only 65 local employees
in one building. I want to make this upgrade as simple as possible.

Based on the information you provide, I'd probably keep them
different. One thing to watch out for is the possibility that your
internal domain name conflicts with someone else's external domain
name. Then you wouldn't ever be able to get to them!

There are three ways to set up your domain names:

1) Internal and external Domain Names the same. Here the problem is eg
locating your own external webserver from inside. You have to add it
to the internal DNS manually.

2) The external domain name different to the internal domain name. eg
external mycompany.com and internal mycompany.lan. Your internal
domain name can never conflict with any external domain name.

3) The internal domain name a sub-domain of your external domain name.
eg external mycompany.com, internal lan.mycompany.com. This too has
advantages - you don't have any problem accessing any external domain,
even your own, and it can't conflict with anyone else.

All of these have their proponents - sometimes the advocates of a
particular scheme can be, um, enthusiastic in their defence of their
preferred method!

Cheers,

Cliff

 

[Mark N.]

Based on the information you provide, I'd probably keep them

different. One thing to watch out for is the possibility that your
internal domain name conflicts with someone else's external domain
name. Then you wouldn't ever be able to get to them!

There are three ways to set up your domain names:

1) Internal and external Domain Names the same. Here the problem is eg
locating your own external webserver from inside. You have to add it
to the internal DNS manually.

2) The external domain name different to the internal domain name. eg
external mycompany.com and internal mycompany.lan. Your internal
domain name can never conflict with any external domain name.

3) The internal domain name a sub-domain of your external domain name.
eg external mycompany.com, internal lan.mycompany.com. This too has
advantages - you don't have any problem accessing any external domain,
even your own, and it can't conflict with anyone else.

All of these have their proponents - sometimes the advocates of a
particular scheme can be, um, enthusiastic in their defence of their
preferred method!

Cheers,

Cliff

Thanks for the lengthy reply! I like the idea of keeping things separate.
Actually, I really like your suggestion #3 - if only I could scrape up
enough servers to do that :-(
But I think that I will probably go with a separate internal name to reduce
the need for DCs all over the place..

Many thanks!!
Mark

 

[Enkidu]

Thanks for the lengthy reply! I like the idea of keeping things separate.
Actually, I really like your suggestion #3 - if only I could scrape up
enough servers to do that :-(
But I think that I will probably go with a separate internal name to reduce
the need for DCs all over the place..

Mark, I don't know why you think that one method will use more servers
than another. Please expand on that!

Cheers,

Cliff

 

[Mark N.]

Mark, I don't know why you think that one method will use more servers

than another. Please expand on that!

Cheers,

Cliff

Well, based on what I've gathered in my test network, if I had my root
domain: rootdomain.com
I'd need a DC for that. Then if I wanted a child domain for my DMZ, and one
for my internal network, wouldn't I need to have some DCs in those too? But
a single domain wouldn't need that root domain DC. At least, that's what I
am thinking?

Thanks,
Mark

 

[Mark N.]

3) The internal domain name a sub-domain of your external domain name.

eg external mycompany.com, internal lan.mycompany.com. This too has
advantages - you don't have any problem accessing any external domain,
even your own, and it can't conflict with anyone else.

Hi Cliff,

In this example (which is how I have my test network set up right now), my
only concern is with the fact that our website (www.company.com) winds up
being the parent in the tree. Is this a security concern? I'm worried
about the fact that malevolent persons on the outside would already know the
name of our parent domain in this case and the next time a security hole is
discovered in Windows Server, they may exploit it.

You mention that there are many opinions on how to configure a namespace
and/or LAN... What do you recommend? I'm collecting opinions


Thanks,
Mark

 

[Enkidu]

Well, based on what I've gathered in my test network, if I had my root
domain: rootdomain.com
I'd need a DC for that. Then if I wanted a child domain for my DMZ, and one
for my internal network, wouldn't I need to have some DCs in those too? But
a single domain wouldn't need that root domain DC. At least, that's what I
am thinking?

OK, separate in your mind the Active Domain and the DNS Domain. They
are NOT the same thing. The scope of your Active Directory should only
be the internal network. Have one (AD) Domain that is the root *and
ONLY* Domain of your Active Directory, unless you have a very good
reason to have more. It doesn't matter where it fits in the DNS
hierarchy.

For instance one of the sites I worked with, we had an Active
Directory Domain called "lan.mycompany.com". That was its name and it
was the root domain of Active Directory and the root zone of the DNS
in the internal DNS servers (to simplify only a little).

Externally, we had a DMZ zone in which I also ran DNS servers. This
was NOT an Active Directory Domain. Its DNS name was mycompany.com.
This was the root zone of the DMZ DNS. Which, I repeat, had nothing to
do with Active Directory. All the DNZ servers were stand alone
servers.

I could have used the services of a DNS provider, such as an ISP,
instead of doing DNS myself. The principle is the same.

The key point is that the Active Directory Domain is different to the
DNS Domain, though obviously they are linked.

Cheers,

Cliff

{MVP Directory Services}

 

[Enkidu]

Hi Cliff,

In this example (which is how I have my test network set up right now), my
only concern is with the fact that our website (www.company.com) winds up
being the parent in the tree. Is this a security concern? I'm worried
about the fact that malevolent persons on the outside would already know the
name of our parent domain in this case and the next time a security hole is
discovered in Windows Server, they may exploit it.

You mention that there are many opinions on how to configure a namespace
and/or LAN... What do you recommend? I'm collecting opinions

(Sorry long post!)

Don't you mean that "company.com" becomes the root? A host is never
the root. The root is an AD Domain Name and a DNS Domain Name too. OK,
suppose you decide on using the same Domain name internally and
externally.

Internally, your Domain is called "mycompany.com". That's both the
Active Directory Domain Name and the internal DNS name. Unless you
have a very good reason you will only have one AD Domain, and it is
also the root Domain.

Externally, covering DMZ and all else, your DNS Domain Name is also
"mycompany.com". You host this DNS yourself or you get an ISP or
someone to host it for you. There is no external Active Directory
Domain, and it is totally separate from your internal DNS zone of the
same name.

The two DNS's do not talk to one another directly, so there are no
security implications. In fact the external DNS knows nothing of your
internal DNS, though your internal DNS knows of the external DNS.

To put it another way, while your internal DNS queries the outside
world, the outside world is unable to query your internal DNS. It
doesn't even know of its existence, so there are no security
implications.

If your web server, www.mycompany.com is in the DMZ, it is not part of
your AD Domain at all. It is part of the external DNS Domain however.
This means that your people inside the network can't see it, unless
you manually add it to your internal DNS.

It doesn't matter which method you choose. So long as the internal DNS
is separate from the external DNS, there is no DNS-related security
problem.

With the same DNS Domain Name internally as externally, (the some
called "split brain" DNS) there is no way that someone who can read
your external DNS can even locate the internal DNS.

With an internal DNS domain that is a subdomain of your external DNS
then the only way that the external DNS would be able to locate your
internal DNS would be if the external DNS were purposely linked to the
internal DNS. eg to find mailserver.lan.mycompany.com an entry for
lan.mycompany.com would need to be put into the external DNS to point
to the internal DNS for lan.mycompany.com to resolve the mailserver's
address. It wouldn't happen.

With a fake domain name eg, mycompany.lan, an attacker would need to
know that you used that domain name and how to get to your internal
DNS from outside. No way!

In any case, it is easy to prevent people finding out internal
information from your DNS. Just prevent incoming DNS request traffic
at the firewall. You can also hide all your internal addresses by
using Network Address Translation at the firewall too.

Which of the three plans you choose will be determined more by your
preferences, local company politics, pre-existing setups, stuff like
that, than by any technical recommendations, I feel. I've used all
three of them at some time or another.

Cheers,

Cliff

{MVP Directory Services}

 

[Mark N.]

(Sorry long post!)

Don't you mean that "company.com" becomes the root? A host is never
the root. The root is an AD Domain Name and a DNS Domain Name too. OK,
suppose you decide on using the same Domain name internally and
externally.

Yes, this is the case (sorry, my AD terminology is a little rough so far).

Internally, your Domain is called "mycompany.com". That's both the
Active Directory Domain Name and the internal DNS name. Unless you
have a very good reason you will only have one AD Domain, and it is
also the root Domain.

The one thing (just mentioned to me by management on Monday) is that there
is a very possibility that we will be acquiring one or more companies in the
near future. I think that this (with all of the unknowns that are usual for
the IT department in such situations - why tell us anything until it's
implementation time?) is making me think that an empty root may somehow be
of benefit and then a child domain for my current location? I'm faced with
designing a new AD namespace and network and it seems that we may be growing
in the near future... Yikes...

Externally, covering DMZ and all else, your DNS Domain Name is also
"mycompany.com". You host this DNS yourself or you get an ISP or
someone to host it for you. There is no external Active Directory
Domain, and it is totally separate from your internal DNS zone of the
same name.

We host only the web servers, not the DNS - it's hosted by our ISP. I'll
only be hosting internal DNS here.

The two DNS's do not talk to one another directly, so there are no
security implications. In fact the external DNS knows nothing of your
internal DNS, though your internal DNS knows of the external DNS.

Well, this is good to know!

With a fake domain name eg, mycompany.lan, an attacker would need to
know that you used that domain name and how to get to your internal
DNS from outside. No way!

I guess I'm paranoid - I like this idea!

In any case, it is easy to prevent people finding out internal
information from your DNS. Just prevent incoming DNS request traffic
at the firewall. You can also hide all your internal addresses by
using Network Address Translation at the firewall too.

We do use NAT for all transactions to the outside world. Unused ports are
closed and I believe (though I'll have to check) that incoming DNS requests
are blocked by the firewall..

Which of the three plans you choose will be determined more by your
preferences, local company politics, pre-existing setups, stuff like
that, than by any technical recommendations, I feel. I've used all
three of them at some time or another.

Cheers,

Cliff

Thanks for your very detailed explanation!
Mark

 

[Enkidu]

The one thing (just mentioned to me by management on Monday) is that there
is a very possibility that we will be acquiring one or more companies in the
near future. I think that this (with all of the unknowns that are usual for
the IT department in such situations - why tell us anything until it's
implementation time?) is making me think that an empty root may somehow be
of benefit and then a child domain for my current location? I'm faced with
designing a new AD namespace and network and it seems that we may be growing
in the near future... Yikes...

Hi Mark, I hear nothing here that makes me think an empty root domain
is a good idea. You would need at least one box for it, since a DOmain
must have at least one DC.

Your mycompany.com can be the root domain, and the acquired companies'
Domains can be other trees in the same forest. Until they are absorbed
that is.

If your company changes its name, THEN you could create a tree for the
new name and leave the old domain as a single empty root. Until you
have a chance to do it better.

Cheers,

Cliff

{MVP - Directory Services}