[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 827
  • Last Modified:

DNS entries for a stand-alone server in a DMZ

I'm referencing an earlier question, that I need a more-detailed solution for:

"Yes, keep your external DNS completely segregated from the AD DNS environment.
I would recommend setting up a standalone box (not on the domain) and configure your DNS entries manually.  This is certainly the most secure."
I have a standalone server in a DMZ.  How would I configure my DNS entries for my internal LAN to access that server by name and not IP?  I want our internal users to route to the interal IP, and not out to the internet and back in as clients would.  Does this mean that I would have to update the hosts / lmhosts files on all of my workstations, or is there any type of entry in DNS that I can make for as standalone machine?

0
dzinesbymeg
Asked:
dzinesbymeg
  • 2
  • 2
1 Solution
 
savoneCommented:
What your saying is you want 2 different records, one for internal and one for external clients??

Well if updating your host files is not an option I would create a DNS server for internal use only.  Use that for internal resolution.

0
 
dzinesbymegAuthor Commented:
I do have an internal DNS server...several of them in fact.  To add an A record though, it assumes that the machine is part of the Domain, and the webserver is stand-alone.  My question is specifically what would the DNS record look like on the internal DNS server to access a stand-alone server in a DMZ, or is that even possible?
0
 
hbustanCommented:
What you need to do is have your internal DNS server connect to your external DNS server. So it can act as a DNS forwarder or Cache on top of hosting its own domains.

Your internal DNS could host a completely different domain such as domain1.com whereas your external DNS will host domain2.com

Since all your workstations connect to your internal DNS, then this is enough to have it retrieve all DNS entries of Domain1.com and Domain2.com and the Internet domains as well (Since most likely your external DNS is configured to retieve Internet domains as well).

On the other hand, all External users will only be able to retrieve records for Domain2.com and not Domain1.com as your external DNS will not forward to your internal.

I hope this clarifies the situation for you.
0
 
dzinesbymegAuthor Commented:
hbustan, this is an acceptable solution, but it doesn't answer the question I was trying to ask.  If the server in the DMZ is stand-alone (by which I mean not a part of ANY domain), is there any type of record to be added to the internal DNS that would allow my internal machines to access that server by the same address that my external DNS is pointing to (portal.domain1.com)?  Right now my exteranl DNS is hosted by my ISP.  Maybe it's just not possible...
0
 
hbustanCommented:
OK - my understanding was that the DNS in your DMZ is the external one.

So you are saying you have DNS internally, DNS in the DMZ and DNS with your ISP?? 3 layers?

If this is the case, then:

1. Your Internal DMZ will host your internal servers & have a forwarder to your DNS in DMZ.
2. Your DMZ DNS will host the machines in your DMZ & have a forwarder to your ISP DNS.

This way, when a PC looks up an internal name it will only go to your default DNS and get the values immediately; when looking up a DMZ server name, it will go locally and then your DMZ will make another request to fetch it from the DMZ DNS. When looking up Internet addresses, it will go locally, then your local DNS will request from your DMZ DNS and DMZ DNS will request from the Internet.

So you still do not need to use host files.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now