Setting up ,Hosting, External DNS

Posted on 2007-10-12
Last Modified: 2013-12-04
We are trying to Host our own DNS server, we are hoping this will make it easier for us to make changes to our environment as some of our servers are internet facing. Server is built running 2K3 R2 w/ SP2 ,i have installed DNS and am not sure what the next steps are ? The DNS server will be set up on our DMZ, and will furnish requests for webmail, website and 2 other servers. From what i understand, the external DNS is not supposed to see/talk to internal DNS ( for security purposes ) ?? Any assistance in this matter will be appreciated.


Question by:zore
    LVL 38

    Expert Comment

    by:Hypercat (Deb)
    You are correct.  You want your external DNS server to service only requests from external hosts to provide access to your web servers that are open to external access.  You would want your internal DNS server to be behind your firewall providing DNS only for your internal (private) network.  As for your external DNS server, the only other things you need to do are (1) make sure the firewall between your DMZ and the Internet has port 42 open for incoming requests; and (2) make sure that your domain name registry has the correct DNS IP address(es) and host name(s) (for your new DNS server) registered as the authoritative DNS server(s) for your domain.
    LVL 9

    Expert Comment

    Your domain name registrar doesn't give you full DNS controll?

    Messing with public Windows Servers is a bit of a security nightmare. :)

    LVL 4

    Expert Comment

    I agree with Brugh in that security for a public Windows server is problematic. Have you considered running a dedicated Linux server as your public DNS? One very simple and secure option is Engarde Secure Linux ( It's easy to install and can be administered through a web GUI.

    Another option to consider is to use an outside service and not run your own server at all. I have used DNS Made Easy ( It's easy, it's inexpensive and I think it will do everything you need.
    LVL 4

    Accepted Solution

    Point the dns server dns settings under the tcp/ip configuration itself.  Under the forward lookups, configure the dns settings to at least two different outside addresses (your isp may have given you these).

    This will help to ensure that all systems internally go to this server first, it checks itself first, then if nothing is found, it tries to go to the forward addresses (outside).  As for the internet facing servers, hopefully they are behind some firewalls.  On the firewalls, you can allow web requests with routing, but the external addresses that say website has will have a host/pointer record associated with it.  What you are doing is this...

    If web traffic comes in looking for the webserver 55.555.55.555 address, the isp points it to you.  Your firewall says hey, this has a route, so let it through.  Now the dns server grabs the info and looks at the host table.  It says address 55.555.55.555 goes to server ABC, so it sends the traffic there.

    Going forward from what Brugh said, your isp/domain registar should allow you to specify what the ip is of the domain(s) in question are.  This is helpful if the addresses point to different IP addresses assigned to you by your isp.  If you setup the dns server on the dmz, you have to have some method of that server talking to your internal network (e.g. port udp/tcp 53 open to pass dns traffic) since the dmz is a stand alone setup.  This is a great security setup, but a little more complicated to manage/setup initially.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now