Techrunner
asked on
DNS service Local and public
Dear Experts,
I have a case where I have to use internal ( local dns server) on a pc for domain services and public dns server for internet services. How this routing is possible on a comuter ?
Is this possible
Thanks
I have a case where I have to use internal ( local dns server) on a pc for domain services and public dns server for internet services. How this routing is possible on a comuter ?
Is this possible
Thanks
Hello.
Configure your PCs to look at the internal server via DHCP.
You DNS server shoudl then be set up to forward unknown host queries to an external server (you can configure this from the DNS Server Manager > Forwarders tab).
This will enable you to resolve locally and externally.
Good Luck.
Configure your PCs to look at the internal server via DHCP.
You DNS server shoudl then be set up to forward unknown host queries to an external server (you can configure this from the DNS Server Manager > Forwarders tab).
This will enable you to resolve locally and externally.
Good Luck.
ASKER
We are using medical service provider. They are using our workstations. These PC's are joined to our domain. They will be using there website for medical services I don't want them to use our internal dns for resolving there website but instead I want to use there given public dns server.
Thanks
Thanks
You could drop an entry in the local host file but that can become hard to manage in no time.
What is the issue with local resolution? The load should be minimum.
What is the issue with local resolution? The load should be minimum.
May I ask why you wish to do this? DNS resolution to external sources should not constitute a performance or security risk. If your DNS server does not know the answer it will forward it to an DNS server that does. I would still recommend adding their public DNS server as a forwarder on the DNS server
You have already got good suggested add the public ip address to dns forwarder or you can create dns zone for there website resolution and point the host record to external ip address.
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
ASKER
Hi Experts
Thanks for all clarifications.
We don't to want to let them use our dns server for any resolving, as per our security policies. They are going to use there own public isp dns services.
but our concern.
since our workstations are joined to domain and they are using dns authoritative for this domain.
That's why how I c an achieve that our pc's use the internal dns server for domain services and service provider dns server for resolving public names.
I also dont want to put there public dns server as forwarder on our dns server. We don't want to use any dns services through our dns server.
I would highly appreciate any suggestions.
Thanks
Thanks for all clarifications.
We don't to want to let them use our dns server for any resolving, as per our security policies. They are going to use there own public isp dns services.
but our concern.
since our workstations are joined to domain and they are using dns authoritative for this domain.
That's why how I c an achieve that our pc's use the internal dns server for domain services and service provider dns server for resolving public names.
I also dont want to put there public dns server as forwarder on our dns server. We don't want to use any dns services through our dns server.
I would highly appreciate any suggestions.
Thanks
> That's why how I c an achieve that our pc's use the internal dns server for
> domain services and service provider dns server for resolving public names
You cannot. It's not how DNS clients work, they're dumb and anything you tell them to use must be able to service all requests you expect answered.
Your choices are:
1. Give your DNS server access to the server able to answer the request (either via the public, or as a forwarder)
2. Create a copy of the record on your own DNS server, duplicating the public record.
But that's it, you cannot change the functionality of the DNS client on your systems.
Chris
> domain services and service provider dns server for resolving public names
You cannot. It's not how DNS clients work, they're dumb and anything you tell them to use must be able to service all requests you expect answered.
Your choices are:
1. Give your DNS server access to the server able to answer the request (either via the public, or as a forwarder)
2. Create a copy of the record on your own DNS server, duplicating the public record.
But that's it, you cannot change the functionality of the DNS client on your systems.
Chris
Hi:
I suspect we don't quite understand the question.... I have picked two lines out of your last post to reply:
We don't to want to let them use our dns server for any resolving
The only computers that would use the DNS server inside your firewall would be the computers inside your firewall. That is how you find the other computers on the network, as well as how you navigate to any public website, including this one.
I also dont want to put there public dns server as forwarder on our dns server. We don't want to use any dns services through our dns server.
You have to have some way to resolve names to IP addresses, whether they exist in your LAN or WAN or "on the internet". The DNS server in your LAN will use either forwarders or root hints to do that, and your user's computers will check with your DNS server first, if it has not cached the IP for that name request it gos up-stream to find the answer, using the default gateway as the path to any name or IP that is "not here". When it gets the answer it reports the IP back to the requesting station.
There is no security breach here, unless you consider internet access a breach or potential breach. If that is the case you can simply disconnect from the internet.
I suspect we don't quite understand the question.... I have picked two lines out of your last post to reply:
We don't to want to let them use our dns server for any resolving
The only computers that would use the DNS server inside your firewall would be the computers inside your firewall. That is how you find the other computers on the network, as well as how you navigate to any public website, including this one.
I also dont want to put there public dns server as forwarder on our dns server. We don't want to use any dns services through our dns server.
You have to have some way to resolve names to IP addresses, whether they exist in your LAN or WAN or "on the internet". The DNS server in your LAN will use either forwarders or root hints to do that, and your user's computers will check with your DNS server first, if it has not cached the IP for that name request it gos up-stream to find the answer, using the default gateway as the path to any name or IP that is "not here". When it gets the answer it reports the IP back to the requesting station.
There is no security breach here, unless you consider internet access a breach or potential breach. If that is the case you can simply disconnect from the internet.
DNS basically takes a name and turns it into an ip. So letting them use your internal DNS server cannot possible be a security risk. If you are worried about them accessing your internal servers, you can't solve that by limiting DNS, you need to secure your other stuff in another way.
I may have misread, but the nature of the question implies that the internal DNS server is used exclusively for the domain and cannot resolve public names at all (by policy). Is that really the case here?
The trouble is, if you poke holes in your firewall to allow clients to use a service providers DNS server you surely contravene that policy anyway. So I may simply be a bit confused.
Anyway, DNS clients cannot selectively use name servers based on the name they wish to look-up. All the choices I cited, as well as a few others (hosts, etc) have been mentioned by the other experts participating in this thread.
This assumption is the basis for my reply above.
Chris
The trouble is, if you poke holes in your firewall to allow clients to use a service providers DNS server you surely contravene that policy anyway. So I may simply be a bit confused.
Anyway, DNS clients cannot selectively use name servers based on the name they wish to look-up. All the choices I cited, as well as a few others (hosts, etc) have been mentioned by the other experts participating in this thread.
This assumption is the basis for my reply above.
Chris
ASKER
Hi,
Thank you all for the suggestions.
I just want to add here that I am using BlueCoast in my network. Can I define in bluecoat to us so and so dns server for resolving. Like for internal dns services use internal dns server and for public use medical service provider dns
For your reference our internal and public domain are same.
Thank
Thank you all for the suggestions.
I just want to add here that I am using BlueCoast in my network. Can I define in bluecoat to us so and so dns server for resolving. Like for internal dns services use internal dns server and for public use medical service provider dns
For your reference our internal and public domain are same.
Thank
I doubt it. You can see how some BlueCoat things use DNS here:
https://kb.bluecoat.com/index?page=content&id=FAQ295
While that may not be the exact device you use the functionality you're chasing is outside of normal client-side behaviour (the BlueCoat would also act as a client). Handing name resolution choices down to clients is not normally desirable.
Anyway, if you have the proxy you may find you can implement the same methods above (such as hosts file) to work-around the issue.
Chris
https://kb.bluecoat.com/index?page=content&id=FAQ295
While that may not be the exact device you use the functionality you're chasing is outside of normal client-side behaviour (the BlueCoat would also act as a client). Handing name resolution choices down to clients is not normally desirable.
Anyway, if you have the proxy you may find you can implement the same methods above (such as hosts file) to work-around the issue.
Chris
ASKER
Another thing I'm having thought to remove the workstation from the domain that will be used by medical service provider. In this case they can use there own dns servers for resolution.
I don't know if that would be wise decision.
Thanks
Samir.
I don't know if that would be wise decision.
Thanks
Samir.
You give up control of those work stations. I assume they're not further isolated from the rest of your network?
It's a weird choice really, you've cited security policy as the reason for doing this, but all of the options you seem to have involve compromising network security. Ho hum.
Chris
It's a weird choice really, you've cited security policy as the reason for doing this, but all of the options you seem to have involve compromising network security. Ho hum.
Chris
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I am going with this solution. Thanks for the help
A forwarder should be configured on the DNS server to go to a public DNS server to resolve any queries that the internal DNS server in not authoritative for.
If no forwarders are configured then root hints will be used by default.