DNS question when used as a caching server and configured to use root hints

Hi all,

have a design type query.
We are deploying a two 2008 R2 Core DNS caching server on a DMZ. The DNS server will be used for recursive quires using the root hints (no ISP DNS servers available). We will then configure our Active Directory integrated DNS servers to use the DMZ servers as forwarder from within DNS console. Here are the questions.
1. Does anyone see any inherent problems with the design?
2. Is there anything I need to be aware of in using the cache service as I've never set an OS to facilitate the service before - normally used ISA\ TMG.
3. Is it a bad idea to do this a different way, what about opening up the AD Integrated DNS servers to use the root hints themselves - any concerns?
Thank you for looking.
LVL 1
Jason ThomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
The best option could be have ISP DNS server to which you will forward your name resolution queries from corporate network

The workaround you have should work

Please keep caching DNS servers in workgroup and do not allow any inbound traffic on them from internet
Just open dns port (53) from caching only server to internet to get name resolution
From internal AD servers you need to open 53 ports towards caching only server

Its not very good idea to enable direct internet name resolution on AD server if other options are abavailable.
0
Jason ThomasAuthor Commented:
Hi Mahesh, I appreciate your time in responding to ma thank you. I understand what you have said but do have one follow up question.
You say about not allowing any inbound traffic from the internet to the caching servers, I assume I open  open UDP and TCP port 53 from the caching servers through firewall and this will do what you recomend?
From Internal DNS servers, open UDP and TCP ports from each DNS server to the 2 caching servers?

Thank you.
0
MaheshArchitectCommented:
Yes, you are right
Just trying to keep it secure as far as possible

If you want, you can open tcp 80 and 443 from caching servers to internet so in case you face any issues, you can test connectivity from caching only servers to internet
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason ThomasAuthor Commented:
Great tip thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.