Domain DNS and Firewall DNS

Posted on 2010-08-30
Last Modified: 2012-05-10
I have a win2003svr domain controller. I also have a firewall (Kerio Control).  My question is regarding the configuration of the DNS from the AD controller and the Kerio Control.
Question by:benjalamelami
  • 3
  • 2
  • 2

Expert Comment

ID: 33564089
Use AD, and do not use the Firewall DNS.  
Within Windows 2003 server, DNS can integrate with DHCP and work more effectively.  You should have the WIndwos DNS use root hints to look up secondary/recursive records, rather than specifying the firewall or ISP DNS for outside.  This offers better reliability.  Alyernatively, you could use the ISP DNS which might give you fatser lookup speed, but be less reliable.

Expert Comment

ID: 33564147
Check out this article about windows 2003 DNS


Author Comment

ID: 33564162
Dear Sstone.

Thanks for your help.  I have my DHCP integrated with my DNS.  So, let me see if I get it right:

- Stablish the DHCP to give DHCP clients the DNS from the AD server itself (its small network: AD, DNS, DHCP are all in the same server)

- The DNS for the server will be"

What I dont understand very clear, is where or how do clients know where to look for the external name servers for solving the internet names.  

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Expert Comment

ID: 33564188
The 2003 DNS server will service all your internal network.

In the DNS Console, there will be Root Hints which point to External IP addresses for external name resolution.

Also check your firewall, DNS uses UDP port 53 and TCP port 53.

Author Comment

ID: 33598933
Thank you very much for your help.  However DNS resolution for internet domains became really slow.  It does work, but takes 4 seconds or something per domain.  I was wondering, if it had to do on how the Kerio Control machine is configured.  Or if I should add some root hints to the ISP DNS.

Accepted Solution

sstone55423 earned 125 total points
ID: 33600954
Within the Windwos DNS you can specify secondary lookup.  (properties of the DNS server) If nothing is specified there, then it uses root hints, which can be slugglish sometimes.  You can also specify outside DNS servers explicitly for everything (instead of root hints) or on an on domain basis.  These look ups should be faster than root hints.  Some people specify their ISP's DNS servers.  Depending on the ISP, that can be slow or not.  You can also try pointing the Windows DNS to the Kerio as secondary -- just to see if performance is better.
The reason you need to use your internal WIndows erver for DNS (given out by Windows DHCP) is that to authenticate with Windows domain properely, (AD) you have to resolve SRV records that are unique to AD.

Author Closing Comment

ID: 33974770
Thanks for the tip.  

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now