asked on DNS Server configuration and Security
Here's the current scenario: We operate multiple websites and host DNS for thos sites on our own networks. There are 4 DNS servers involved. Two of them (NS1 and NS2) are for resolution of domain names from the Internet. Because of security issues recurrsion has been disabled on these two servers, causing the internal network to be unable to use these servers for lookups. Therefore we put into place NS3 and NS4 to handle DNS lookups from our internal network. All is working well, except that when I run a DNS report from DNSStuff.com, I come across an error that has me concerned. This error indicated that there are stealth servers for every domain we host, which I assume NS3 and NS4 are being called stealth because they will no respond to requests from the Internet, which is what they are designed to do.
My question is this:
Am I correct in using this configuration? If so, should I remove NS3 and NS4 from the name servers tab for each domain? And If I do that, what implications are there?
My question is this:
Am I correct in using this configuration? If so, should I remove NS3 and NS4 from the name servers tab for each domain? And If I do that, what implications are there?
DNSWindows Server 2003
Last Comment
Chris Dent
ASKER
Conditionally forwarding requests is a possibility, but I've been avoiding this because it requires manual configuration each time a new domain is added to the forward lookup zones. I have not tried straight forwarding though.... that may work. I assume that I will make NS1 and NS2 both stricty caching servers then?
> I have not tried straight forwarding though.... that may work
It'll require the servers you forward to support recursive queries. Undoes the security you added by turning it off.
Hmm I have an idea that may work.
Are the name servers the same for every single zone on the server? Or is it zone specific?
If they're the same for all zones you can create a couple of new zones on ns3 and ns4. e.g.
Zone Name: ns1.domain.com.
Records: "(same as parent folder)" Host (A) PrivateIP
Zone Name: ns2.domain.com.
Records: "(same as parent folder)" Host (A) PrivateIP
"(same as parent folder)" is a the Origin, @, or a host record created with a blank name.
The idea is that we substitute the private A Records for the name servers when using ns3 and ns4. It side-steps all thoughts of conditional forwarders while maintaining the same effect.
Chris
ASKER
Change NS1 and NS2 for NS3 and NS4 in that last comment.
Ahh ns3 and ns4 makes more sense. And yes, it would make the effectively caching only unless you have other private zones to serve.
It works well if ns3 and ns4 can reach ns1 and ns2 via the public IP.
Chris
ASKER
>Are the name servers the same for every single zone on the server? Or is it zone specific?
Some zones are specific, but for the most part, they arethe same. I wonder if I can use a mixed solution?
If I use the above scenario, then these questions come up.....
I also use AD for replication, which I assume that I will have to change al of the zones on these servers to stub zones? Or would I just make them stand alone DNS servers by removing them from AD Replication altogether?
Some zones are specific, but for the most part, they arethe same. I wonder if I can use a mixed solution?
If I use the above scenario, then these questions come up.....
I also use AD for replication, which I assume that I will have to change al of the zones on these servers to stub zones? Or would I just make them stand alone DNS servers by removing them from AD Replication altogether?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for your responses. You have been a great help and have me pointed in the right direction. Keep up the good work!
You're welcome :)
Chris
Hey,
You shouldn't advertise ns3 and 4 in the public zone if they can't be reached by the public.
You can't conditionally forward requests for the zone(s) in question to ns1 and 2? Leaving ns3 and 4 as private resolvers (caching only, or caching and private zones only)?
Chris