netF
asked on
DNS Architecture
I have two Windows name servers, one that holds primary zones and the other that holds secondary zones. These servers are not part of a domain and host external zones. We allow each sites external firewalls to transfer zones from the primary server.
My question is if I want the firewalls to hold an authoritative copy of the zone do I have to list them in the Name Servers tab? Or can I just let them pull the zone and leave only the two Windows name servers in the name servers tab?
My question is if I want the firewalls to hold an authoritative copy of the zone do I have to list them in the Name Servers tab? Or can I just let them pull the zone and leave only the two Windows name servers in the name servers tab?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies.
These Windows DNS boxes reside outside of the site firewalls and are not a part of any domain, so when queried they don't return any internal names.
Currently I have the firewalls listed in the Name Servers tab for all zones, but as for what is registered at the parent domain differs between zones. For some of the zones my Windows boxes and firewalls are registered while others only have the Windows boxes registered. So I am trying to standardize this so all zones are setup the same. We don't use the "Only to servers listed on the name servers tab" because of security issues so we manually list all IPs that are allowed Zone Transfers.
The thing is some of my sites have 9 firewalls listed in the Name Servers tab but they are not registered at the Parent Domain and so I am trying to figure out if I should go through the painful process of registering all of them, or if it is ok to only list the Windows servers.
These Windows DNS boxes reside outside of the site firewalls and are not a part of any domain, so when queried they don't return any internal names.
Currently I have the firewalls listed in the Name Servers tab for all zones, but as for what is registered at the parent domain differs between zones. For some of the zones my Windows boxes and firewalls are registered while others only have the Windows boxes registered. So I am trying to standardize this so all zones are setup the same. We don't use the "Only to servers listed on the name servers tab" because of security issues so we manually list all IPs that are allowed Zone Transfers.
The thing is some of my sites have 9 firewalls listed in the Name Servers tab but they are not registered at the Parent Domain and so I am trying to figure out if I should go through the painful process of registering all of them, or if it is ok to only list the Windows servers.
I cannot see the logic of this - if the firewalls hold a copy of the DNS data, but they are not listed in the parent domain and they are not listed in the NS records of the domain itself, then what purpose do they serve? How can anything find them?
ASKER
The firewalls are not registered at the parent nameserver level, but they ARE listed as NS records of the zone themselves.
So I guess what I am really looking for is what the best practice would be. Would it be best to register my Windows DNS boxes as well as the firewalls at the parent nameservers level, or is it ok to only list the Windows DNS servers at the parent nameservers level?
So I guess what I am really looking for is what the best practice would be. Would it be best to register my Windows DNS boxes as well as the firewalls at the parent nameservers level, or is it ok to only list the Windows DNS servers at the parent nameservers level?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://en.wikipedia.org/wiki/Name_server#Authoritative_name_server
I think your firewalls should also be listed in the Name Servers tab of the Windows machine because it makes no sense to not include them, but that alone does not determine whether they are deemed to be authoritative. Another reason to include them is so you can set the security option on the primary server's "Zone Transfers" tab to "Only to servers listed on the name servers tab".