• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 901
  • Last Modified:

external DNS servers (quick question)

Do most companies house their own externals DNS servers?  and do they have two types of external DNS servers?

1.  One DNS server that queries the root servers (for their internal client's requests. So clients are set to forward to this )

2. And another DNS server that resolves names for clients from the outside (who are trying to find the companies webserver etc.)

Wouldnt it be better to keep the two separate.  
3 Solutions
I believe DNS servers are set up in a chain-like fashion, that go well out of the enterprise itself.

Your No. 1 server will normally exist in a company, but when queried, it will then query another DNS server on the outside for the client, normally the ISP hosts this server.  Eventually that client will be simply given an IP address for the name (eg, www.experts-exchange.com) that wish to access.  When the IP address is queried the request is able to be routed through the internet.

For No. 2, a company wouldn't have a DNS server for the hosting of remote access servers (web servers, etc), the DNS would be handled at the client end (who would be querying the webserver, for example, No.1), and eventually be given an IP address to the company, or one of many servers within a company.  Once the request reaches that IP address, the company servers can route the request internally to the appropriate server if required (normally used with port forwarding etc, where there are a number of servers hosting different services behind the one external IP address).

Hope I haven't confused you!

Typically, people keep at least two domains, one internal and one external.  For devices that are internal , you use a namespace that does not match your external namespace.  So if you are mycompany.com externally, you are mycompany.int internally.  This helps prevent people from using your DNS server to map your internal network.

That said, you can host both the namespaces on the same server, but best practices says you should have separate servers for internal and external.  

Most people own their internal DNS servers -- I don't know of anyone who hosts that offsite.  The internal servers resolve requests both internally and externally to the Internet.  All your clients point to these boxes.

Many people do not own the servers that contain their external DNS information.  Largely it's because it isn't worth the bother or cost to host them.  Let your ISP do it for you -- it is typically pretty inexpensive.
Well dear,
u r very very right... there has to be more than one server. Ollie is right that servers are in the chain configuration. But what we do in the internet business is that some ISP has its own server working for DNS, with autmotic secure update from another server. This way the server serves for the internal organization as well as for internet. In Windows it is very easy,just enable Allow Secure Updates Only and u have done that. In Linux, however, you have to write the code for that... and its simple...

To give u a better understanding, what happens is... that DNS servers have levels as well. When u go out from ur gateway, u first go to a DNS server. The DNS server will either resolve the address itself, or ask its next DNS server. DNS server is not so stupid to keep a trillion of websites with him for resolution, it just knows the paths... for example for .edu.com, it may get directed towards one server, yet for .net, it may go to some other server. But the hierarchy is maintened at the DNS level. Sometimes the access is blocked or restricted for one ISP, so u wont find the webaddress working under that ISP.....
the topic is pretty simple, yet long.... hope u have got fair idea of that....

happy understanding ;)

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

If you're asking what I think you're asking, the answer is usually no and no, unless the company is an ISP or telecommunications company who already has that for other purposes.  If I read your question correctly, you're talking about internet DNS one way and the other, and not intranet.  Normally, a company will run DNS internally, but it is for Windows network name resolution, like returning an IP address when you do something like "ping mailserver1"  Internal DNS (used to be called WINS, has been called DNS since Win2k Server) just resolves names to addresses on your LAN as a fuinction of NetBIOS etc for the purposes of filesharing, remote management etc.  As far as internet DNS, regardless of whether it be incoming or outgoing, it's normally done at the ISP or telco provider level, although many gateways, servers, etc will cache the last several hundred to several thousand requests in a revolving cycle just to save bandwidth/overhead etc.  It's a heirarchy, your browser (when on LAN) will check its own cache, then your server's cache, if your server doesn't have it, it checks with your ISP, if your ISP doesn't have it, checks with a core server, etc etc
dissolvedAuthor Commented:
thanks everyone

I currently have 3 internal DNS servers. Its ADintegrated using dynamic DNS. They query my ISP's DNS for stuff they cant resolve.

I have one external DNS housed here. This isnt affiliated with my AD structure at all. It's just a win2k box running nothing but DNS. I disabled recursion on it and removed the root servers. It strictly for clients resolving addresses of my externally accessible boxes.
dissolvedAuthor Commented:
Thanks Focusyn. I would of given you points, but I think I was splitting points while you were typing your answer. Bad timing.

Basically, you guys answered it. External servers are kept at ISPs usually.  The company must use some type of interface or control panel right? Otherwise, the ISP would have to do all the changes.

Let's say I host my own website. When outside users want to access it, they will eventually query my name server to find the address. Is the name server they query, going to be the same one my internal clients use to resolve internet names?

So basicall in other words: Does the external server both resolve queries for my internal clients, and for people on the internet trying to find my website I have in the company
In this case... your internal DNS servers work for your internal clients; it is very likely your domain name is directed to another company's nameservers (a lot cheaper this way). From there, any requests basically end up at your external IP (but the outside client sees your domain name).

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now