Solved

DNS, conditional Forwarder

Posted on 2013-01-09
3
699 Views
Last Modified: 2013-02-14
We are multiple sites connecting over VPN to the head office.
Branch offices have anywhere from 3 to 10 computers.
Each branch office is getting a small file server running 2008. DNS service is also installed.
forwarders were pointed to the dns server at the head office otherwise the branch office could not resolve internal servers

We find that ALL dns requests were being sent to the head office.  
The problem is if we loose internet connection at the head office then we risk bringing all the branch sites to a stand still.

Is there a way so that all internet urls will be resolved locally at the brnach sites and for all internal servers it could look up the dns server at the head office.

thanks
0
Comment
Question by:3Musketeers
  • 2
3 Comments
 
LVL 9

Assisted Solution

by:gt2847c
gt2847c earned 500 total points
ID: 38761417
The short answer is most likely you could set this up...

Questions that will help determine a more specific answer

Are you running an Active Directory setup with your servers?
If so, where are your Domain Controllers located (at each site, head office)?

How is your internal DNS domain configured?  Do you servers self-register or does someone manually manage the DNS entries?

How are IP addresses (esp for servers) handled, are they statically assigned, or are they DHCP enabled?  If DHCP, are the servers local to the site or at the head office?

Would you like to be able to resolve local servers via DNS if the connection to the head office goes down?
0
 

Author Comment

by:3Musketeers
ID: 38761746
thx.

yes AD, the  domain  controller sits at the head office( HO) , and another bigger branch office(BBO)  -  Total 2 domain controllers with DNS service also running
There is a private link between these two locations.
no domain controllers at any of the other  branch offices.

Servers / clients self register,
static IP's for servers - dhcp for clients

branch offices have no need for any connection to the BBO.

I want to resolve all the servers that are at the head office -  from the client computers at the branch office.
However I want the dns servers at the branch sites to resolve all internet sites LOCALLY bcos people surf like crazy and dont want the dns requests coming all the way over the wan link.

thanks a lot
0
 
LVL 9

Accepted Solution

by:
gt2847c earned 500 total points
ID: 38762861
You have two options for locally resolving Internet.  You can set up a general forwarder for the local DNS server pointing to each site's ISP supplied DNS resolvers.    Alternatively, you can allow your DNS server to self resolve.  Microsoft's DNS server, if no general forwarders are configured, will attempt to iteratively resolve DNS queries.  This assumes that your firewall permits this traffic to pass.  It also assumes you have a default route pointing to your ISP rather than through your VPN back to your head office.

As to internal resolving, you again have two options.  One, you can set up a conditional forwarder for your internal domain pointing to your head office DNS server(s).  You should include both the forward domain (x.y.com) and the reverse (168.192.in-addr.arpa or whatever is appropriate based on the internal address space you use).  You will also want to make sure all the sub-domains that AD sets up  (_msdcs.mydomain.com and those underneath) resolve properly to make sure you don't have issues with your devices connecting to your domain.  Second option is to setup your local DNS servers to replicate the DNS zones for your internal forward and reverse zones.  That way it will keep all client DNS traffic local to your site.  Only replication traffic between the DNS servers will go back to your head office.  Conditional forwarders will send all (non-cached) requests back to your head office.  Having a local copy of the internal domain locally is useful if your connection to the head office is severed or you want to take down the DNS servers at the head office for maintenance.  This is especially true if you use a meshed VPN solution which would allow you to reach other sites even if the head office is unavailable.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now