DNS Architecture

netF used Ask the Experts™
I have two Windows name servers, one that holds primary zones and the other that holds secondary zones. These servers are not part of a domain and host external zones.  We allow each sites external firewalls to transfer zones from the primary server.  

My question is if I want the firewalls to hold an authoritative copy of the zone do I have to list them in the Name Servers tab? Or can I just let them pull the zone and leave only the two Windows name servers in the name servers tab?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I think you are trying to setup something called "hidden primary".
However, in that case it should be the other way round (in parts).
Actually, whether a name server tags its replies as authoritative is not completely identical with wether it appears in NS replies.
The servers in the name server tab are what is returned to someone externally querying your firewall for record type NS. They may try to query the hostnames returned for additional info about the zone, so the reply should make sense to them.
Hence the reply they get should contain the official hostnames of your firewall(s), and it should not contain internal names (e.g. ending in "domain.local") of your Windows boxes

According to wikipedia (and what I have read elsewhere), the definition of an authoritative server is one with an NS record stored in the parent domain - i.e. a list that is probably held by the service provider where you registered your domain names.

I think your firewalls should also be listed in the Name Servers tab of the Windows machine because it makes no sense to not include them, but that alone does not determine whether they are deemed to be authoritative. Another reason to include them is so you can set the security option on the primary server's "Zone Transfers" tab to "Only to servers listed on the name servers tab".


Thanks for the replies.

These Windows DNS boxes reside outside of the site firewalls and are not a part of any domain, so when queried they don't return any internal names.

Currently I have the firewalls listed in the Name Servers tab for all zones, but as for what is registered at the parent domain differs between zones. For some of the zones my Windows boxes and firewalls are registered while others only have the Windows boxes registered. So I am trying to standardize this so all zones are setup the same.    We don't use the "Only to servers listed on the name servers tab" because of security issues so we manually list all IPs that are allowed Zone Transfers.

The thing is some of my sites have 9 firewalls listed in the Name Servers tab but they are not registered at the Parent Domain and so I am trying to figure out if I should go through the painful process of registering all of them, or if it is ok to only list the Windows servers.  

I cannot see the logic of this - if the firewalls hold a copy of the DNS data, but they are not listed in the parent domain and they are not listed in the NS records of the domain itself, then what purpose do they serve? How can anything find them?


The firewalls are not registered at the parent nameserver level, but they ARE listed as NS records of the zone themselves.  

So I guess what I am really looking for is what the best practice would be. Would it be best to register my Windows DNS boxes as well as the firewalls at the parent nameservers level, or is it ok to only list the Windows DNS servers at the parent nameservers level?
Usual practice is to have 2 name servers registered in the parent domain - the preferred plus a backup. In your case I would think the obvious choice would be the two Windows machines, giving the primary DNS server as the preferred. Then, the firewalls would be of little relevance and would not need to be listed in any NS records - keeping things simple.

However, by listing them in the parent domain you are publishing their IP addresses to the world. A security expert might argue that the Windows servers are more vulnerable to hacking than the firewalls, in which case it might be prefereable to list the addresses of two of your firewalls instead, (provided you are confident the firewalls are secure, will be 'always available' and will hold an up-to-date copy of the DNS records for your zones). This is more complicated however, because the Windows DNS server will almost certainly want to see its own IP address in the NS records (and possibly the SOA record), so it would still be possible for a direct query to return the addresses of the Windows servers to someone on the Internet.

If it was my choice, I'd go for the simple solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial