DNS question when used as a caching server and configured to use root hints
Hi all,
have a design type query.
We are deploying a two 2008 R2 Core DNS caching server on a DMZ. The DNS server will be used for recursive quires using the root hints (no ISP DNS servers available). We will then configure our Active Directory integrated DNS servers to use the DMZ servers as forwarder from within DNS console. Here are the questions.
1. Does anyone see any inherent problems with the design?
2. Is there anything I need to be aware of in using the cache service as I've never set an OS to facilitate the service before - normally used ISA\ TMG.
3. Is it a bad idea to do this a different way, what about opening up the AD Integrated DNS servers to use the root hints themselves - any concerns?
Thank you for looking.
have a design type query.
We are deploying a two 2008 R2 Core DNS caching server on a DMZ. The DNS server will be used for recursive quires using the root hints (no ISP DNS servers available). We will then configure our Active Directory integrated DNS servers to use the DMZ servers as forwarder from within DNS console. Here are the questions.
1. Does anyone see any inherent problems with the design?
2. Is there anything I need to be aware of in using the cache service as I've never set an OS to facilitate the service before - normally used ISA\ TMG.
3. Is it a bad idea to do this a different way, what about opening up the AD Integrated DNS servers to use the root hints themselves - any concerns?
Thank you for looking.
ASKER
Hi Mahesh, I appreciate your time in responding to ma thank you. I understand what you have said but do have one follow up question.
You say about not allowing any inbound traffic from the internet to the caching servers, I assume I open open UDP and TCP port 53 from the caching servers through firewall and this will do what you recomend?
From Internal DNS servers, open UDP and TCP ports from each DNS server to the 2 caching servers?
Thank you.
You say about not allowing any inbound traffic from the internet to the caching servers, I assume I open open UDP and TCP port 53 from the caching servers through firewall and this will do what you recomend?
From Internal DNS servers, open UDP and TCP ports from each DNS server to the 2 caching servers?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great tip thank you
The workaround you have should work
Please keep caching DNS servers in workgroup and do not allow any inbound traffic on them from internet
Just open dns port (53) from caching only server to internet to get name resolution
From internal AD servers you need to open 53 ports towards caching only server
Its not very good idea to enable direct internet name resolution on AD server if other options are abavailable.