Link to home
Start Free TrialLog in
Avatar of Techrunner
Techrunner

asked on

Configuring DNS on TMG-Recommendation

Hello,
I have TMG 2010 server under the domain with 2 NIC's ( Internal and External). I have gone through the following below link from Microsoft.

http://blogs.isaserver.org/shinder/2008/05/04/dns-settings-for-the-forefront-threat-management-gateways-tmg-interfaces/

From the above link I am thinking to go with this option ( mentioned in the link)

Isolating Internal DNS Servers

I would like to know the experts recommendation and suggestion if I proceed with the above option ( Isolating DNS) Will there be any DNS outages, browsing slowness or performance bottlenecks.

I welcome your suggestions. My main concern is to prevent our internal DNS to be exposed to External network

Thanks.

Samir
Avatar of Hilal1924
Hilal1924
Flag of India image

Hello Samir,

It is always recommended to have redundancy in DNS, No matter if it is internal or public DNS set up. This article in Microsoft is meant for Enterprise deployments and If your implementation is an Enterprise level deployment (>1000 users) then you should follow this article.

DNS outtages, performance is dependent on your Network performance, DNS query response etc. But I have not seen people complaining when using this kind of set up.

Best Of Luck
Hilal
One more thing, make sure that your internal DNS server does not do any unauthorized zone transfers and replication is set to secure mode on DNS. Any internal reference in your Public DNS should be removed.
Avatar of Techrunner
Techrunner

ASKER

thank you for your quick and prompt response.
I posted the wrong link I want to refer this link instead

http://technet.microsoft.com/en-us/library/cc302590.aspx

As I said earlier I want to select the second option Isolating Internal DNS server. Will it be ok.

Thanks

Samir
Avatar of Miguel Angel Perez Muñoz
On general way:

TGM must be configured used internal DNS.
DNS internal must be use forwarders to resolve external queries. Consider using forwarders and void iterative queries from your internal DNS servers to external and unknown DNS servers.
Never permit zone transfers to other servers on all servers on public side of network.
Consider use your own forwarder if your ISP does not give a pair of DNS servers. This isolate external DNS DoS to this external machines.
You will typically configure the NIC of the TMG box which is connected to the internal network with the same DNS server IP addresses of the other servers and workstations in that local site -- typically the Active Directory Domain Controllers situated there. You don't need to make any more changes than that.

To allow DNS queries to function, you need an access rule which permits DNS traffic to flow from the DNS servers to their forward lookup servers. It is usually sufficient to allow all DNS traffic from a network set containing all the approved internal DNS servers to "External" -- this does not prevent the use of root hints in the event your forwarders are down or unavailable.

Provided you don't publish a rule which publishes DNS to the internet on one of the public IPs (i.e. traffic from External to the Internal network or some internal device) then you won't permit access to your internal DNS servers from the Internet. TMG handles the firewalling.

-Matt
I agree with Matt. Essentially TMG or Any firewall for that matter divides the network in two parts. External and Internal. The Internal Interface will ALWAYS use Internal DNS and External Interface can use both. However you must not allow traffic from external networks to your internal DNS server.

- Hilal
Okay, I just saw your second comment above. Apologies for missing that.

If you truly want to isolate your internal DNS in that fashion, then you will need either another server to act as DNS, or to install DNS on the TMG box itself. Then, point one of the NICs (normally the internal again) of the TMG to the IP of the DNS server you just installed (either TMG's IP or the new box's IP). If you use a secondary box, then you would ideally connect it up to an additional NIC to isolate it.

You don't use access rules to permit internal DNS servers access to the Internet. However, all the internal machines need to proxy via the TMG, since the act of proxying permits the TMG to perform the name resolution at the proxy.

Any unproxied traffic - such as other protocols which don't typically get proxied - isn't going to be routed though (the internal AD servers can't forward the requests to locate proper DNS, yet the internal machines must still use the internal AD servers for DNS resolution only).

-Matt
Sorry Hilal, we cross-posted there! Just to re-iterate, the typical setup would be the one which was originally described. That doesn't expose your internal DNS namespace. The worst you get is caching and the potential for cache poisoning on the internal DNS servers. That can be mitigated, but rarely have I seen the isolated DNS setup described. It typically leads to more confusion than it's worth, and by complicating the matter to a point where it is not as well understood, it may actually make things less secure because you can't verify the setup is accurate as easily.

-Matt
Thanks Matt and Hilal for your reply.

How would it be if I go with this option

- Install DNS service on TMG and configure forwarder pointing to ISP
- Configure the DNS on external interface on TMG box point to the local ip of TMG.
- Create a namespace on TMG box resolving internal dns hostnames.
- Configure forwarder on Internal DNS server pointing to TMG box.

Please advise.

Thanks
Samir
ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for the delay in reply Please can you tell me some reasons how would I would be benefited by having the below setup. I'm trying to clear all my confusion and to select the best recommended setup Just for more info I have 1800 users.

a. Install DNS on TMG box and configure ISP's DNS forwarder.
b. Configuring Internal interface with internal DNS server
c. Configuring Internal DNS server with TMG forwarder.

Thanks.
Samir
Samir,

>> Please can you tell me some reasons how would I would be benefited by having the below setup

I think this line says lots. With respect, you are trying to introduce additional complexity to the structure of your DNS without identifying the problem you are trying to solve. This makes it very difficult to plan and to confirm you are going in the right direction; without a problem statement, there is no starting point to work from, and you are effectively shooting in the dark.

If what you have presently works, then I would advise you leave it alone unless there is a good reason not to do so. I have a network of 3000 users which has the internal Active Directory-integrated DNS servers communicate directly with the ISP's forwarders. The TMG environment is involved, but only as a firewall which permits the traffic to pass outward; not with any form of local DNS server.

Unless you have a well-defined security or operational threat or requirement, I really wouldn't add additional complexity for the sake of additional complexity. More complexity means more entropy (uncertainty), and therefore more complicated troubleshooting in the event something falls apart. DNS is a crucial service; its loss or failure could lead to loss of the entire network operations, which is not an acceptable outcome from changes which, on the face of it, did not serve any purpose.

-Matt
thank you for your valuable comments. Basically I just what to understand from you and other experts the recommended DNS setup ( and complications) to clarify my doubts prior to any change in my production environment.
Thanks for the support.