asked on DNS setup in DMZ
Hi Experts,
I have been battling with the setup of a DNS server in the DMZ for a while now. We are setting up the DNS (dcsrv02) and the web server on the same Windows 2003 server with different IP (172.16.128.X) addresses. The IP address for the DNS server in DMZ is 172.16.128.15 while that of the web server is 172.16.128.16. Initially I had an issue because the DNS server had no host name as I was confused on adding it to what domain as I did not want it to be part of the internal domain. So I kept it in a workgroup (Home) and added DNS suffix microsoft.local, so I stopped getting the errors above.
In the Forward lookup zone ((called as dmz)) on the DMZ DNS server I have the external IP addresses (209.X.X.X) of the DNS server and the web server. The PTR record for the DNS server is registered with our ISP. I have 2 reverse look up zones in the DMZ DNS server, one for the 172.16.X.X addresses and the other for the 209.X.X.X addresses. Is this correct?
We manage our own DNS so on our internal DNS server I have the 172.16.X.X addresses of the DMZ DNS server and www. On doing this I can browse www from within the domain as well as from the DNS server in the DMZ. But I cannot browse it from outside the domain. On doing this it takes me to a search engine with cached results. Do I need to have some forwarders on our internal DNS server pointing to the external IP of the DMZ DNS server?
We have a PIX firewall and have the following setup on it. The PIX is setup correctly I believe.
access-list out_in extended permit tcp any host 209.X.X.1 eq www
access-list out_in extended permit udp any host 209.X.X.1 eq domain
access-list out_in extended permit tcp any host 209.X.X.1 eq domain
access-list out_in extended permit tcp any host 209.X.X.2 eq www
access-list out_in extended permit tcp any host 209.X.X.3 eq www
access-list DMZ_in extended permit tcp any eq domain host 209.X.X.1
access-list DMZ_in extended permit udp any eq domain host 209.X.X.1
access-list DMZ_in extended permit tcp any eq www host 209.X.X.2
global (DMZ) 1 209.155.24.3
static (DMZ,outside) 209.X.X.1 172.16.128.15 netmask 255.255.255.255
static (DMZ,outside) 209.X.X.2 172.16.128.16 netmask 255.255.255.255
access-group allow_any in interface DMZ
On querying DNS stuff for our www.domainname.com, I get one of our NS's as lame name server and also "no NS A record at Name server" for dcsrv02. I don't know what this means and how to fix it?
Greatly frustrated.
I have been battling with the setup of a DNS server in the DMZ for a while now. We are setting up the DNS (dcsrv02) and the web server on the same Windows 2003 server with different IP (172.16.128.X) addresses. The IP address for the DNS server in DMZ is 172.16.128.15 while that of the web server is 172.16.128.16. Initially I had an issue because the DNS server had no host name as I was confused on adding it to what domain as I did not want it to be part of the internal domain. So I kept it in a workgroup (Home) and added DNS suffix microsoft.local, so I stopped getting the errors above.
In the Forward lookup zone ((called as dmz)) on the DMZ DNS server I have the external IP addresses (209.X.X.X) of the DNS server and the web server. The PTR record for the DNS server is registered with our ISP. I have 2 reverse look up zones in the DMZ DNS server, one for the 172.16.X.X addresses and the other for the 209.X.X.X addresses. Is this correct?
We manage our own DNS so on our internal DNS server I have the 172.16.X.X addresses of the DMZ DNS server and www. On doing this I can browse www from within the domain as well as from the DNS server in the DMZ. But I cannot browse it from outside the domain. On doing this it takes me to a search engine with cached results. Do I need to have some forwarders on our internal DNS server pointing to the external IP of the DMZ DNS server?
We have a PIX firewall and have the following setup on it. The PIX is setup correctly I believe.
access-list out_in extended permit tcp any host 209.X.X.1 eq www
access-list out_in extended permit udp any host 209.X.X.1 eq domain
access-list out_in extended permit tcp any host 209.X.X.1 eq domain
access-list out_in extended permit tcp any host 209.X.X.2 eq www
access-list out_in extended permit tcp any host 209.X.X.3 eq www
access-list DMZ_in extended permit tcp any eq domain host 209.X.X.1
access-list DMZ_in extended permit udp any eq domain host 209.X.X.1
access-list DMZ_in extended permit tcp any eq www host 209.X.X.2
global (DMZ) 1 209.155.24.3
static (DMZ,outside) 209.X.X.1 172.16.128.15 netmask 255.255.255.255
static (DMZ,outside) 209.X.X.2 172.16.128.16 netmask 255.255.255.255
access-group allow_any in interface DMZ
On querying DNS stuff for our www.domainname.com, I get one of our NS's as lame name server and also "no NS A record at Name server" for dcsrv02. I don't know what this means and how to fix it?
Greatly frustrated.
DNSCiscoWindows Server 2003
Last Comment
marrowyung
Name of your nameserver (domain name), do they have proper host a record pointing to this dns server ip address?
ASKER
thanks for getting back greenhacks, where will this A record reside - internal DNS, DMZ DNS or at our ISP? On internal dns I have the 172 address pointing to the Dns server in DMZ.
Let me ask you, are you trying to set a public dns server? or a name server to host all domains? or internal dns server?
ASKER
I want the DNS server to provide info about servers in the DMZ, I guess that makes it a public DNS server. How would the configs be different for each? Thanks.
Can you explain me the scenario or the need for this? how are you going to use this externally? then i can explain you better how this works.
One thing to remember, if you want to bring all this servers live, then they need a public ip with valid registered domain name. I wait for your reply to understand what is ur need.
ASKER
The PTR record for dcsrv02.domainname.com are registered with the ISP and are also added as a NS on our godaddy.com records. They do have a public IP (209.X.X.X). We want people looking for www.domainname.com to go to the web server in the DMZ and they will get this info from the DNS server in the DMZ. Does this help?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yes that does help. What are the kind of servers people normally use in the DMZ? Are they NS or internal kind? Thanks for your patience.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
greenhacks thanks for your replies. I finally understood how to complete this, i added 2 Name Servers in the DMZ and added them to godaddy. Also registered the PTRs with my ISP, disabled access of my internal NS externally, deleted any external IP addresses from my internal NS and moved all those records to the DMZ DNS.
Thats so perfectly done. great.
Dear abhijitm00,
My compnay doing e-commerce and host a web site, we don't do complicated setup as you and we don't get into trouble like this.
We don't install any DNS server in DMZ, please never do this.
We only install web server (internet access facing) in DMZ, and we only use one public DNS server like godaddy, and in our ISP we create PTR record.
That's it ! if you make it complicated, when you manage it (delete any thing for example), huge amount of works needs to be done and hard to troubleshoot. Also.
So we only do this :
1) setup the web server and map it using firewall with public IP address (the IP address assigned to you by ISP)
2) in public DNS server like godday, add the A record.
3) add the PTR record in your ISP's DNS server.
Marrow.
My compnay doing e-commerce and host a web site, we don't do complicated setup as you and we don't get into trouble like this.
We don't install any DNS server in DMZ, please never do this.
We only install web server (internet access facing) in DMZ, and we only use one public DNS server like godaddy, and in our ISP we create PTR record.
That's it ! if you make it complicated, when you manage it (delete any thing for example), huge amount of works needs to be done and hard to troubleshoot. Also.
So we only do this :
1) setup the web server and map it using firewall with public IP address (the IP address assigned to you by ISP)
2) in public DNS server like godday, add the A record.
3) add the PTR record in your ISP's DNS server.
Marrow.