Solved

DNS configuration in multi-location network

Posted on 2014-04-23
3
349 Views
Last Modified: 2014-04-24
A remote site underwent an ISP change and a local tech made some DNS changes that, while they work, I'm questioning. One of the issues I have found is that when I ping the name of an internal computer and expect DNS to reply with an IP address, instead of the real IP, I get an OpenDNS IP. (We use OpenDNS).
This made me want to look at DNS as a whole to make sure it's optimal before fixing this. Please review the attached. All locations were set up similar to Sites 1 & 2 and it's site 3 that was modified. Considering the details provided, I'm looking for best practices related to DC and firewall settings specific to DNS.

1. Should the primary DC DNS point only to itself?
2. Should the other secondary local DCs point only to the Primary DC for DNS?
3. Should any DC TCP/IP settings contain DNS IPs for OpenDNS
4. Should DNS1 on the firewall/gateway point to the local DNS server?

Thanks
Visio-DNS.pdf
0
Comment
Question by:ironkernel
3 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 40018351
Well... It's not how I would set it up ...

First thing, I would try to configure a local DNS on each site...

Second thing, DNS should be pointing to itself and another local DNS (or a DNS on the other site maybe), then on the DNS server itself the OpenDNS servers should be configured as forwarders, so that the DNS server uses them when looking up requests that can't be resolved by the DNS server itself.

That would solve most things I think .. From taking a quick look.

So:

1) Kinda yes (itself and another local - backup - DNS)
2) Yes, and also another local DNS as backup
3) No better not
4) It can though I don't think it matters for the network too much.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40018833
1. Should the primary DC DNS point only to itself?
Yes, to its own IP (Not 127.0.0.1)

2. Should the other secondary local DCs point only to the Primary DC for DNS?
No secondary dns servers also point to itself for name resolution and point to primary DC as alternate DNS

3. Should any DC TCP/IP settings contain DNS IPs for OpenDNS
OpenDNS \ ISP IP should be put into DNS forwarders tab
I have seen your schematic, no matter how you route your traffic, it will passes through firewall only
If you keep firewall IP as gateway on DC and workstations, all internet traffic will go through firewall directly and it will then not look for DNS forwarders I believe.
Hence if you could arrange some simple router as gateway device at each site for DC and computers and then DNS forwarder will work.
However finally your internet traffic will flow through firewall only

4. Should DNS1 on the firewall/gateway point to the local DNS server?
No its not required as your firewall is actually acting as internet gateway and entry point

Mahesh.
0
 

Author Comment

by:ironkernel
ID: 40021109
Thank you for the details provided - this helps considerably.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question