DNS Configuration

Posted on 2005-05-11
Medium Priority
Last Modified: 2010-04-10
Currently we are hosting our own dns, problem is our network sits behind one firewall/router and DNS traffic is forwarded to our PDC which hosts the dns, there are 3 Domain controllers wich use active directory to propogate the DNS information, I have the forwarders set up for our ISP's dns servers, everything works ok, however I understand this poses a huge security risk as you can ping ANY internal computer name and it will resolve to its priivate IP address. I have looked at using Split DNS the problem is if its active directory integrated, how can I put both the private and public zones on the same dns server? I would not be able to use active directory for dns if I did this corrrecT?
Question by:o0JoeCool0o
  • 3
  • 2
LVL 71

Expert Comment

by:Chris Dent
ID: 13979255

The public version of the domain cannot be Active Directory Integrated if you want to have it completely seperate. You also cannot run both private and public zones on the same name server - after all, technically speaking they are the same.

It's actually quite messy to set it up with DNS only running on a DC and given the choice I would recommend you host your DNS externally, perhaps with your ISP?

This is the rough list of steps:

1. Remove the AD Integrated zone from the public DNS server
2. Add a standard primary zone in (disallowing dynamic updates etc) with the same domain name on the public DNS
3. Recreate the AD Integrated zones on another server - generally step 1 will remove it from all servers
4. Make sure all internal clients and servers only use a server running an AD Integrated zone (which should allow dynamic updates)

Does that make sense to you?



Author Comment

ID: 13979387
Yes that makes sense, but would this work instead,
Stop forwarding dns traffic to the PDC and set up a new non active directory server with DNS and forward public DNS port to that server instead ?

as for hsoting DNS externally, I much prefer to ahve all my host records internal where I can make changes and ahve the result instant, where as external DNS records can take up to 24 hours depending on the provider. We make alot of dns changes and I think its great to have that flexibility.

LVL 71

Accepted Solution

Chris Dent earned 2000 total points
ID: 13979416

That would be much much more sensible yes.

As long as that's an option I can't think of any other reasons why it's bad to host it internally. :)

Author Comment

ID: 13979528
great! thanks
LVL 71

Expert Comment

by:Chris Dent
ID: 13979563

Pleasure :)

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question