using win2K to host internet DNS

[Eddie Walker]

question:

i have a windows 2000 network behind a firewall, local win2K dns is setup
for internal a.d. use.

right now our internet records such as PTR, MX, and www are handled by our
ISP. I would like to be able to manage those on our local win2K servers.

right now everything that is not external is sent up to our isp as listed in
the forwarders.

what do i need to do? change the domain server info at network solutions to
point directly to my win2K server running dns? open the port for DNS on our
firewall, and then make the appropriate entires in win2K dns manager? (for
web, mail, etc)?

thanks,

ed

 

[Ace Fekay [MVP]]

In

question:

i have a windows 2000 network behind a firewall, local win2K dns is
setup for internal a.d. use.

right now our internet records such as PTR, MX, and www are handled
by our ISP. I would like to be able to manage those on our local
win2K servers.

right now everything that is not external is sent up to our isp as
listed in the forwarders.

what do i need to do? change the domain server info at network
solutions to point directly to my win2K server running dns? open the
port for DNS on our firewall, and then make the appropriate entires
in win2K dns manager? (for web, mail, etc)?

thanks,

ed

Keep in mind to accomplish this, it's required that you have separate DNS
servers to handle public records. According to the registrar, you'll need
two nameservers to host public DNS content. You can't mix them with your AD
data, for a couple reasons, depending on your scenario.

If you have private IPs, that kind of hinders you because the DNS server on
your private zone that you'll decide to use (not the AD DNS) will have
private IPs in it's nameserver tab, which get published, so even though you
may have a port re-map for 53 to the internal IP from the external IP, the
private IPs are still listed. This *will* cause problems on the Internet.

Besides, you can only port re-map one port to one IP thru a NAT. If you do
have NAT, there wouldn't be anyway to host the two name servers.

In addition, mixing public data and your private AD data on one machine will
be a huge security hole., besides the private data interfering with SOA
records.

If you have two additional servers and you do have public IP addresses, then
just go to your registrar, (I use Network SOlutions, which offer this sort
of service) and sign in, look for some sort of host nameservers services
under your account, then create two hostname server names for your 2
nameservers, and give them the public IPs. Wait about 24-72 hours before it
takes effect. Then when you change the SOA for your domains, wait an
additional 24-72 hours for that to take effect.

In the long run, and the consensus is, it's less adminstrative overhead and
much easier to just let your ISP or whomever, handle them.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Eddie Walker]

Ace,
Thanks for the quick reply.

We are not using private IP. We have a block of public IP addresses that we
use. Does that make this simpler or do I still need to additional servers?

as far as public records, you are referring to our MX, CNAME, entries that
our ISP currently has?

I am curioous about this as I am switching ISPs shortly and thought this
might be a good time to evaluate this idea.

Ed



"Ace Fekay [MVP]"

 

[Lanwench [MVP - Exchange]]

What's your goal? As Ace said, it's really best for small networks to leave
public DNS hosted externally. I'd strongly suggest that you use private IPs
and NAT on your network -

 

[Ace Fekay [MVP]]

In

Ace,
Thanks for the quick reply.

We are not using private IP. We have a block of public IP addresses
that we use. Does that make this simpler or do I still need to
additional servers?

as far as public records, you are referring to our MX, CNAME, entries
that our ISP currently has?

I am curioous about this as I am switching ISPs shortly and thought
this might be a good time to evaluate this idea.

Ed

I agree with Lanwench's observations. Don't bother hosting them, not worth
the extra effort.

Yes you still need two separate DNS servers and you CANNOT use your AD DNS
machines for this task. If you do, you're inviting trouble and config
issues, public IP or not.

I host about 25 domains for my clients. It's a PITA sometimes (pain in the
rump). Sometimes I wished I just let my ISP do it since I have to have two
separate servers doing NOTHING else but just that task.... and then locking
them down tight so nothing else (unneeded services) are running on them.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory