Solved

DNS question when used as a caching server and configured to use root hints

Posted on 2014-07-24
4
435 Views
Last Modified: 2014-07-25
Hi all,

have a design type query.
We are deploying a two 2008 R2 Core DNS caching server on a DMZ. The DNS server will be used for recursive quires using the root hints (no ISP DNS servers available). We will then configure our Active Directory integrated DNS servers to use the DMZ servers as forwarder from within DNS console. Here are the questions.
1. Does anyone see any inherent problems with the design?
2. Is there anything I need to be aware of in using the cache service as I've never set an OS to facilitate the service before - normally used ISA\ TMG.
3. Is it a bad idea to do this a different way, what about opening up the AD Integrated DNS servers to use the root hints themselves - any concerns?
Thank you for looking.
0
Comment
Question by:Jason Thomas
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40217154
The best option could be have ISP DNS server to which you will forward your name resolution queries from corporate network

The workaround you have should work

Please keep caching DNS servers in workgroup and do not allow any inbound traffic on them from internet
Just open dns port (53) from caching only server to internet to get name resolution
From internal AD servers you need to open 53 ports towards caching only server

Its not very good idea to enable direct internet name resolution on AD server if other options are abavailable.
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 40218636
Hi Mahesh, I appreciate your time in responding to ma thank you. I understand what you have said but do have one follow up question.
You say about not allowing any inbound traffic from the internet to the caching servers, I assume I open  open UDP and TCP port 53 from the caching servers through firewall and this will do what you recomend?
From Internal DNS servers, open UDP and TCP ports from each DNS server to the 2 caching servers?

Thank you.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40219293
Yes, you are right
Just trying to keep it secure as far as possible

If you want, you can open tcp 80 and 443 from caching servers to internet so in case you face any issues, you can test connectivity from caching only servers to internet
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 40220334
Great tip thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is there a way top force root certificate to update on Windows 2008? 4 15
BIND9 - DNS redirect? 4 21
domian network access 5 20
Advanced Auditing issue 3 20
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question