Setting up a primary DNS server behind a firewall

DanielFGarcia
DanielFGarcia used Ask the Experts™
on
I have a domain that is currently hosted by 3 DNS servers. Lets call these B, C & D. These servers are hard to administer, so I'm looking for a better solution.

I have an internal DNS server (using active directory). This server is behind a NAT and is therefore available under 2 different IP addresses. I'll refer to these an A1 and A2 with A2 being the external address.

What I'd like to do is:
* Have the internal server (Server A) being the primary for the domain
* Servers B,C & D will be the secondaries and receive updates from A
* The delegation will still point to B, C & D. A will never answer DNS queries. In fact port 53 will not be opened incoming to A. A will always push out.

Is this possible ? Am I breaking any DNS rules by setting it up this way ?

In the domain records
* What servername or address should be listed for the SOA record ?
* Which servers should be listed in the NS records ?

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:

> A will never answer DNS queries

Leaking stealth name servers isn't exactly good practice. If someone caches your NS records (obtained from B, C or D) which will include A they will attempt to query A occasionally. If you don't let them that results in a timeout. Perhaps not the end of the world, but it's still not good practice.

> * What servername or address should be listed for the SOA record ?

A must be. The SOA is used by Secondary Servers to figure out when to update the Zone, it cannot be anything else.

> * Which servers should be listed in the NS records ?

All servers who are authoritative for the zone, including A. The SOA must have a corresponding NS record I'm afraid.

Why do you want to hide the Primary Server? Because it runs AD?

Chris

Author

Commented:
Yes I am running AD. I'd rather not have it exposed.

Regarding the address on the SOA record, should it be the servers public (NATed) or private ip address ?

regarding the NS records, do I need records for the public and private ip addresses ?
PowerShell Developer
Top Expert 2010
Commented:

> Regarding the address on the SOA record, should it be the servers public (NATed) or private ip address ?

Well, if you were exposing it... public.

Given that it runs AD I wouldn't let it have this zone at all. I'd use B, C and D only. Perhaps run a Secondary version of the zone on A with no NS record on the other servers?

But then, I never liked mixing public and private DNS servers. I've seen a few too many cases where it's been done incorrectly.

Or a Conditional Forwarder or Stub zone if that isn't appropriate.

> regarding the NS records, do I need records for the public and private ip addresses ?

Only public IP addresses. After all, you need it to work for the public :)

If you need Private Addressing as well and happen to be using BIND for the other three you could implement a View. No such luck with MS DNS though.

Chris

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial