Solved

External dns server recommendations.

Posted on 2010-08-28
12
522 Views
Last Modified: 2012-08-13
I would like to setup an external dns server and need some pointers. Right now we are using a domain hosting service and registering DNS names with them as needed. I would like to install a DNS server to use for that purpose but I am having some problems with were I should but the server in out network. I know that It would require an external ip address associated with it, does that mean that we still have to have our domain registered on the web pointing to the dns servers public ip address? Could your exchange mx record then be held in my dns instead of on the web? I just need some clarification in terms of these questions and other best practices with dns.  
0
Comment
Question by:justin0104
  • 5
  • 4
  • 3
12 Comments
 
LVL 8

Expert Comment

by:jessmca
Comment Utility
I take it you are not using Active directory.
If you do not need internal DNS then I would recommend keeping the DNS externally hosted.  Public DNS would use up bandwidth needlessly.

Best solution would be split DNS.
Install DNS on a server on your network and configure your internal gatway routers IP as the DNS forwarder address.  
Now you can add domains you want to your internal DNS.  Make sure DHCP is configured to allocate your internal DNS server and not the gateway router.  Firewall rules to block LAN addresses from all port 53 (DNS ) except the internal DNS would be helpful.

ANy computer on the internal LAN will resolve to the DNS mappings internally, while the internet will use the piublic addresses without going near your network.

That would be the way I would do it.

 
0
 

Author Comment

by:justin0104
Comment Utility
We are using dns within our LAN with and we do have active directory setup. Our internal dns is not a problem, we are just trying to move away from an externally hosted dns server and create our own. I hear people all the time saying how easy it is to host your own external dns server but there are still things to concider. Like does the public dns server go into the dmz and Is there a static nat translation rule to give the dns server a public ip address? Or would it be best to install the dns server outside of the firewall. Also, I'm guessing that there still has to be a public dns record setup through the Internet to point all requests for our domain to the public dns server that I created? And the entries in my public dns would use either a public ip to resolve resources or a private ip to resolve my internal LAN resources?
0
 
LVL 8

Expert Comment

by:jessmca
Comment Utility
In that case, yes, definitely put the DNS on a hardened server not a member of your domain in a DMZ.  Open port 53 to the internet and only allow port 53 to your LAN from the DMZ.

Make sure there is public access to the DNS server port 53 and change the DNS servers on your registrar to point to your DNS public IP.

The only benefit I can see is that you will be able to propogate changes immediately across the Internet, except where ISPs have configured to cache and don't check again.

Your public DNS server should never resolve to an internal IP address.  Make sure it doesnt.  There would be no difference to your internal setup except you would change the forwarding IP address to your public DNS server.  There is no benefit to doing this I can see though, you would add security risk and waste bandwidth for little benefit.  If you have a data centre with lots of public servers and need changes to propegate quickly fair enough.

Why do you want to do this?  
0
 

Author Comment

by:justin0104
Comment Utility
Ok so that is pretty much what I thought. So just to be clear, I will place the dns server that I want to use for outside queries in the dmz. I will give that dmz a private ip address but do a static translation to a public ip and point our registrar at the public ip I statically translated for the dns server I have sitting in the dmz. Now the entries in the dns,, will they point to a public ip or to the private ip of the webservers that are trying to be resolved?
0
 
LVL 7

Expert Comment

by:dnsguru44
Comment Utility
I have to chime in and say that although it's possible to do what this the security risk is Gigantic.. You are publishing a Name Server on the public internet so everybody knows how to get to you and attack.  

I suggest setting up a DNS caching server, this is your best option with the lowest risk, this can be accomplished with Windows Server.   This caching server contacts multiple DNS servers including your ISP's as well as public servers like google IP 8.8.8.8.  and caches the entries on this machine making for quicker internet name lookups as well as offers redundancy should your ISP's DNS server go down.
0
 

Author Comment

by:justin0104
Comment Utility
Alright but what about a solution for people looking for servers that we publish? My main goal is to move away from using an external registrar for all of our dns resolutions. I want to bring that service In house but need some suggestions on how to best go about this. I have a cisco Asa 5520 for a firewall and a cisco 2951 sitting on the Internet edge with a switch in between the two. I need to know how I would accomplish this step by step.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 7

Expert Comment

by:dnsguru44
Comment Utility
You mean like godaddy.com?  If so, that would be illegal.
0
 

Author Comment

by:justin0104
Comment Utility
Huh? I know that I need an external registrar that points to our domain which would be like godaddy. What I don't want to do is use godaddy for every webserver we have. I want to use our own dns server. I need to know what the best method is for doing this with the equipment that I have.
0
 
LVL 7

Expert Comment

by:dnsguru44
Comment Utility
Ok, sorry... I thought the question was a bit unusual.  I was thinking you wanted to host your own top level name server...

So just to be clear, you are talking about a name server, correct?  The entries would look like this:

NS1.YOURDOMAIN.COM
NS2.YOURDOMAIN.COM
NS3.YOURDOMAIN.COM

Is this what you are talking about, a name server, that's what the NS stands for.
0
 

Author Comment

by:justin0104
Comment Utility
That is correct, that is what I am trying to do. Right now we are doing this through an external dns service (I.e. Godaddy, etc..). How can I do this the beat using the hardware I have at my disposial.  
0
 
LVL 7

Expert Comment

by:dnsguru44
Comment Utility
Yes, you can do this but before you do, it's important to remember that sites like go daddy have 100's if not 1000's of name servers for redundancy spread out geographically to avoid any single point of failure.  So, if you have your name server and web server on the same network and it goes down the outside world will not be able to view your company's website.  

That aside, here is a great article that I think is pretty straight forward, make sure to note all the security tasks.

http://faq.programmerworld.net/networking/how-to-setup-your-own-dns.html


0
 
LVL 8

Accepted Solution

by:
jessmca earned 500 total points
Comment Utility
If you are hosting public DNS, always make sure all entries point only to public IP addresses.  Treat this server exactly like you did with the hosted service you used.  The only people going to be using this server directly are public requests form the Internet so private IPs would be pointless.

If you are hosting services such as web hosting internally, point the public dns to the public IP on your gateway that translates to the private IP.  DNS should never know the private IP addresses.

DNS used for active directory and internal lan only is private and should remain so.   I would recommend using your ISP DNS as a forwrder anyway.  If you are first hop DNS server then chances are changes will propagate pretty quick.

Make sure you dont set the TTL too low though as you can eat up resources and bandwidth if your not careful.  If you host an already established domain that gets a lot of hits then you may find this is not a good idea as your server will get a lot of requests.   If you want to host services for small business you will be fine.

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
Resolve DNS query failed errors for Exchange
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now