Solved

Set up Public DNS

Posted on 2009-04-01
8
441 Views
Last Modified: 2012-05-06
We have  internal DNS zones, some of them ar AD Integrated and some are Primary/Secondary zones.
Example
AA.com
BB.com
CC.DD.com
FF.com
GG.HH.com

I want public users to be resolved to the same zones:
AA.com
BB.com
CC.DD.com
FF.com
GG.HH.com

But without having them create records in DNS.
I thought about creating 2 DNS servers Primary and Secondary and put them in the DMZ, I am not sure if they need to be member servers or not joined to the domain at all.
Any suggestions?

Thanks





0
Comment
Question by:jskfan
  • 3
  • 3
  • 2
8 Comments
 
LVL 2

Expert Comment

by:ibiadmin6
ID: 24045950
Public DNS zones should be on a different server than your internal private zones!

You should not expose your internal zones to the internet!

That said the internal zones should be private ip address ranges which are not routable on the internet. So type or Nat'ing should be required using firewalls to resolve internal DNS from the Internet.
0
 

Author Comment

by:jskfan
ID: 24048080
ibiadmin6:

I looked at this link:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

I don't know why it's so complicated compared to what you have suggested.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 24048564

There are a few reasons you should use Split Brain rather than just making those zones public:

1. AD Intregrated Zones make really crappy public zones. They have invalid SOA records, generally invalid NS records, and tend to contain a lot of private data that really shouldn't be publicly available.

They're fine for internal use, that's what they were built for.

2. If you use your DNS servers to resolve external names as well as authoritative domains you have no way of stopping someone out on the Internet using it for that. At best it means you might have to put up with external people using your DNS server as a resolver. At worst it opens you up to attack.

This is more of a limitation in MS DNS. BIND does allow you to differentiate based on the source of the request.

The disadvantage of Split Brain is clear, you have to maintain two copies of the same zone. But sometimes there's not much of a way around that.

Chris
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Expert Comment

by:ibiadmin6
ID: 24048611
I agree and it is confusing in the beginning but will make sense. The comment i made above was using split DNS as we do currently.

It is easier to maintain if the internal namespace is a different name than the external namespace also. Ours is not unfortunately.
0
 

Author Comment

by:jskfan
ID: 24048783
so I can put the following zones in both internal and external DNS servers:
AA.com
BB.com
CC.DD.com
FF.com
GG.HH.com


With the Registrar I will Registrar all the above Zones point to the same public IP ex: 64.64.64.64

in the firewall NAT (  will translate the Public IP 64.64.64.64 to the IP address of the DNS server in the DMZ)
in the DNS inside the DMZ I will create the zones and inside each zone I will create records pointing to web, FTP servers, etc..)

Regarding the internal DNS, I will have nothing special to do, leave AD integrated zones.

Is this correct?



0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24048811

If the Internal (AD) DNS servers are remaining separate from the public system then no changes are required  there.

Chris
0
 
LVL 2

Assisted Solution

by:ibiadmin6
ibiadmin6 earned 250 total points
ID: 24048843
1. At the registrar you point your domains DNS servers to your new external DNS servers. This would typically be a by domain setting where your domains are registered. Beware this takes 24 hours or more to complete etc.

2. I advise two External DNS and are recommended for failover, and actually required for external DNS server hosting by the RFC's.
0
 

Author Comment

by:jskfan
ID: 24051862
<<<<1. At the registrar you point your domains DNS servers to your new external DNS servers. This would typically be a by domain setting where your domains are registered. Beware this takes 24 hours or more to complete etc.>>>>

the external dns server is in the DMZ and it has a private IP address.
I thought at the registrar, I will buy a public IP (64.64.64.64)  that points to our domain name ex: xyz.com
and our firewall external NIC will have the same IP (64.64.64.64), and the firewall will NAT this public IP to the internal IP address of the DNS in the DMZ ex:10.10.10.10.

Correct?
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now