Solved

DNS configuration in multi-location network

Posted on 2014-04-23
3
354 Views
Last Modified: 2014-04-24
A remote site underwent an ISP change and a local tech made some DNS changes that, while they work, I'm questioning. One of the issues I have found is that when I ping the name of an internal computer and expect DNS to reply with an IP address, instead of the real IP, I get an OpenDNS IP. (We use OpenDNS).
This made me want to look at DNS as a whole to make sure it's optimal before fixing this. Please review the attached. All locations were set up similar to Sites 1 & 2 and it's site 3 that was modified. Considering the details provided, I'm looking for best practices related to DC and firewall settings specific to DNS.

1. Should the primary DC DNS point only to itself?
2. Should the other secondary local DCs point only to the Primary DC for DNS?
3. Should any DC TCP/IP settings contain DNS IPs for OpenDNS
4. Should DNS1 on the firewall/gateway point to the local DNS server?

Thanks
Visio-DNS.pdf
0
Comment
Question by:ironkernel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40018351
Well... It's not how I would set it up ...

First thing, I would try to configure a local DNS on each site...

Second thing, DNS should be pointing to itself and another local DNS (or a DNS on the other site maybe), then on the DNS server itself the OpenDNS servers should be configured as forwarders, so that the DNS server uses them when looking up requests that can't be resolved by the DNS server itself.

That would solve most things I think .. From taking a quick look.

So:

1) Kinda yes (itself and another local - backup - DNS)
2) Yes, and also another local DNS as backup
3) No better not
4) It can though I don't think it matters for the network too much.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40018833
1. Should the primary DC DNS point only to itself?
Yes, to its own IP (Not 127.0.0.1)

2. Should the other secondary local DCs point only to the Primary DC for DNS?
No secondary dns servers also point to itself for name resolution and point to primary DC as alternate DNS

3. Should any DC TCP/IP settings contain DNS IPs for OpenDNS
OpenDNS \ ISP IP should be put into DNS forwarders tab
I have seen your schematic, no matter how you route your traffic, it will passes through firewall only
If you keep firewall IP as gateway on DC and workstations, all internet traffic will go through firewall directly and it will then not look for DNS forwarders I believe.
Hence if you could arrange some simple router as gateway device at each site for DC and computers and then DNS forwarder will work.
However finally your internet traffic will flow through firewall only

4. Should DNS1 on the firewall/gateway point to the local DNS server?
No its not required as your firewall is actually acting as internet gateway and entry point

Mahesh.
0
 

Author Comment

by:ironkernel
ID: 40021109
Thank you for the details provided - this helps considerably.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question