Solved

DNS question when used as a caching server and configured to use root hints

Posted on 2014-07-24
4
432 Views
Last Modified: 2014-07-25
Hi all,

have a design type query.
We are deploying a two 2008 R2 Core DNS caching server on a DMZ. The DNS server will be used for recursive quires using the root hints (no ISP DNS servers available). We will then configure our Active Directory integrated DNS servers to use the DMZ servers as forwarder from within DNS console. Here are the questions.
1. Does anyone see any inherent problems with the design?
2. Is there anything I need to be aware of in using the cache service as I've never set an OS to facilitate the service before - normally used ISA\ TMG.
3. Is it a bad idea to do this a different way, what about opening up the AD Integrated DNS servers to use the root hints themselves - any concerns?
Thank you for looking.
0
Comment
Question by:Jason Thomas
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40217154
The best option could be have ISP DNS server to which you will forward your name resolution queries from corporate network

The workaround you have should work

Please keep caching DNS servers in workgroup and do not allow any inbound traffic on them from internet
Just open dns port (53) from caching only server to internet to get name resolution
From internal AD servers you need to open 53 ports towards caching only server

Its not very good idea to enable direct internet name resolution on AD server if other options are abavailable.
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 40218636
Hi Mahesh, I appreciate your time in responding to ma thank you. I understand what you have said but do have one follow up question.
You say about not allowing any inbound traffic from the internet to the caching servers, I assume I open  open UDP and TCP port 53 from the caching servers through firewall and this will do what you recomend?
From Internal DNS servers, open UDP and TCP ports from each DNS server to the 2 caching servers?

Thank you.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40219293
Yes, you are right
Just trying to keep it secure as far as possible

If you want, you can open tcp 80 and 443 from caching servers to internet so in case you face any issues, you can test connectivity from caching only servers to internet
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 40220334
Great tip thank you
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question