Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Zone for Internal and External DNS

Posted on 2007-11-24
6
Medium Priority
?
2,473 Views
Last Modified: 2008-05-31
I have a DNS question which I just kind of need a 'Yes, that is right' or 'No that is OK' answer to.  I am having some weird issues with my firewal using SMTP relay forwarding email to my SPAM firewall.  It appears to be DNS related.  Emails almost seem confused as to where to be sent to. This is a network I have come into that, from what I am told, has had a lot of issues.  I have found that there is two external DNS servers and two active-directory integrated internal DNS servers.  The two external DNS servers host the zone for our external servers and services.  I then checked our internal to check its setup and configuration only to discover that the same zone hosted on our external DNS is also hosted on our internal DNS, along with the local zone.  I have a pretty good grasp of DNS and In the past, I have always setup my internal DNS servers to point to my external DNS servers that hosted the zone for anything public.  Am I wrong in thinking the zone on my internal DNS that is also hosted on my external should not be there?
0
Comment
Question by:jabar5623
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:mb042
ID: 20344697
There is nothing wrong with this setup, as long as the internal and external are the same DNS (i.e  replicas) and not 2 seperatly maintained databases. As long as the external faceing DNS's are not forwarding requests, this meets the accepted standard.

0
 
LVL 3

Expert Comment

by:jigans
ID: 20344784
You are thinking right - Get rid of those external zones on your internal DNS - they should not be there.
0
 

Author Comment

by:jabar5623
ID: 20347188
The internal and external are seperately maintained, i.e. they are not sending Dynamic updates to one another.  The issue I am seeing is that my SPAM firewall and any of my pc's on my network cannot resolve mail.company.com.  This can be resolved outside of the organization because my external DNS will resolve those requests but since this zone resides internally, my internal DNS will not answer the request because it sees it is has the zone company.com but no record for mail.company.com.  At least this is my assumption.  If I delete this zone on the internal DNS, it will have to forward the request to my external where the request can then be resolved, correct?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Expert Comment

by:jigans
ID: 20347447
Jabar,

This is any easy fix.. there are too possibilities

1 your internal DNS name and external DNS names are same. e.g. your AD domain is xyz.com and your internet zone is xyz.com
If so you need to create a host record pointing to mail.yourdomain .com on your DNS (and all other servers hosted outside your network)

2.your internal DNS name and external DNS names are different e.g your AD domain is xyz.local and your external zone is xyz.com - in that you will have to create a zone xyz.com on your internal DNS and add appropriate entries for www, mail etc.
it will NOT be possible to have dynaic updates in either scenario - anytime you change provider or ip address of any server out on the network you will HAVE to manually update IP address for that record in your internal dns.

Regards,
Ji..
0
 

Author Comment

by:jabar5623
ID: 20347612
There is already a zone called xyz.com on my internal and external DNS.  My internal DNS also has xyz.local. The issue I am seeing is that because the internal DNS zone xyz.com does not have any resource records for mail.xyz.com, it only responds with 'non-existent domain' when mail.xyz.com is queried. Our external does have the mail.xyz.com records under xyz.com but internal DNS does not forward the request since it has the zone xyz.com. So I could add the mail.xyz.com record to my internal DNS under the xyz.com zone or I could delete the xyz.com domain from my internal DNS so that it will forward requests for xyz.com to my external DNS where those DNS resource records exist and can be resolved, correct?
0
 
LVL 3

Accepted Solution

by:
jigans earned 300 total points
ID: 20347659
Since your internal DNS is xyz.local theoritically you should be able to delete xyz.com

but from experience -  I would recommend instead of relying on outside DNS to perform resolution - just create an A record on your internal DNS for each entry which belongs to xyz.com.  I have seen strange results - occuring at firewall if you have external interface - referenced to public DNS - your internal machines will still get strange results if you rely on external DNS.

Again it will only happen if your external interface(S) has a Public DNS record - but if you have everything hosted outside your company then it will not be a problem

If you have all services hosted outside then delete xyz.com zone - if you don't then you will need A entries for
www.
mail & whatever else lives on internet IP addresses.

Regards,
Ji..
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question