• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 144
  • Last Modified:

External dns of my own

i am having a t1 installed.  i'll be running this through a ciso 1760 router and using checkpoint firewall.  I'd like to run my own dns server between the router and the firewall so it would be my external dns and cut out the isp's dns server.  i'd also put mx records on it to point to me to host my email.  any tips or sharing of experience would be appreciated
0
marcwidz
Asked:
marcwidz
  • 2
1 Solution
 
samriCommented:
hi marcwidz,

You can have one server behind the firewall to be the DNS server to server public dns.  You just need to allow 53 TCP+UDP traffic (both direction) on the firewall.

In most cases, you would need to register a domain name somwehere, and in most cases (IMHO) the registrar would be willing to be your secondary DNS.

cheers.
0
 
Gruff66Commented:
As above. If you configure MS Server as a DNS server and have that behind your firewall, you can register as a Primary DNS for your domain and get your ISP to be secondary. You then need to configure your DNS server to have SOA records which contain your A and MX records to point to various hosts in your domain.

Biggest issue seen is normally the Serial Number (Increment) for the SOA. By default this will be set at 1 initially in MS DNS, but your ISP is likely to use the format yyyymmddii (where ii is the increment number). As a primary your serial number must be higher than theirs to get them to update their records.

You can set up Notify servers in the DNS server config to allow your DNS server to send out update requests to the secondaries, and then tailor your rulebase to only allow those secondary servers access to your DNS server (bit more secure than using ANY)

Allow port 53 (UDP and TCP) between your DNS and theirs and you should have no probs.

Checkpoint has a group of services already configured so that should make it easier. Just make sure your ISP (if applicable) is allowing these ports through the 7206... sometimes they stick ACLs on the routers <sigh>

G
0
 
samriCommented:
>>Biggest issue seen is normally the Serial Number (Increment) for the SOA. By default this will be set at 1 initially in MS DNS, but your ISP is likely to use the format yyyymmddii (where ii is the increment number). As a primary your serial number must be higher than theirs to get them to update their records.

I think ISP would be pulling the record from the Primary, and should be fine (unless the ISP manuall edit the zone file -- they should not).  The DNS master/slave should be working fine.

just a note.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now