[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Guide on how to setup internal DNS

Posted on 2017-10-20
5
High Priority
?
64 Views
Last Modified: 2017-11-06
My organization has a SonicWALL TZ600 firewall and two Server 2016 servers with the DNS role that handle DNS for our organization.

A previous IT administrator setup the SonicWALL TZ600 firewall so that it dynamincally assigns IP addresses to the Windows 10 client computers and assigns the following DNS server addresses:

172.16.0.26 (the static IP address of one of the Server 2016 domain controllers)
Two other IP addresses are also assigned:
8.8.8.8
8.8.4.4

The reason that these public DNS server addresses are being used and we aren't using the DNS server IP addresses associated with our ISP is because we have a primary ISP and a fail over ISP connected to our firewall. That way if the primary ISP goes down then the secondary ISP will pick up in its place until the primary ISP comes back online. This is important since we have had several times where our primary ISP has gone offline.

However, I have been told in other postings here that the two DNS server addresses of 8.8.8.8 & 8.8.4.4 shouldn't be assigned to the Windows 10 client computers.

We need to make sure that our network is completely self sufficient so that if either one of the Server 2016 domain controllers/DNS servers go offline then the Windows 10 client computers will still be able to connect to websites on the internet even while the two servers are down.

So what is the right way to properly setup or organization's internal DNS?

Please let me know if any further information is needed.
0
Comment
Question by:Knowledgeable
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 1500 total points
ID: 42338703
The proper way to set this up is to have your 2 Domain controllers as DNS servers.  This is the way they are setup by default when they become Domain Controllers.

Ensure that DNS is replicating between them.  On the NIC of DC1, set the DNS to itself and the second DNS to the DC2.  On DC2, set the NIC for DNS to DC1 and itself as secondary.

Now, in the DNS server, ensure your Forward Lookup Zone for your domain is populating and make sure you setup a Reverse Lookup Zone for that subnet.

Remove any forwarders or conditional forwarders. You do not need them as your DNS servers will go to the Internet Root servers to resolve addresses when it needs to.  

In your DHCP, when addresses are given out, point DNS Primary to DC1 and DNS Secondary to DC2.  In a domain environment, you do not want your DNS going to google as it's primary.  Your ISP selection is not an issue if you are setup this way as this is Microsoft's Best practices.  

Lastly, with a Domain, setup DHCP on a couple of servers. You can use these DC's if you want. In the DHCP scope you can also specify there the proper settings for DNS as well as other things. You can set up both servers for redundancy.

Finally, if you are not using a DC for your DHCP and still want to use the SonicWALL, then that needs to be added to the group DNSUpdateProxy in active directory.

Use the KISS method and keep it simple.
1
 
LVL 41

Assisted Solution

by:footech
footech earned 1500 total points
ID: 42338704
Your DC/DNS servers should be configured with root hints or forwarders.  If using root hints, then it does matter which ISP you're using; and if using forwarders, you can use 8.8.8.8 and 8.8.4.4 and it won't matter which ISP you're using.

I have to disagree with the following statement (as I understand it).
We need to make sure that our network is completely self sufficient so that if either one of the Server 2016 domain controllers/DNS servers go offline then the Windows 10 client computers will still be able to connect to websites on the internet even while the two servers are down.
I'd say it's a bigger concern to guard against both DC/DNS servers being down.  That's one of the biggest points of having more than one - to provide fault tolerance.  Your internal clients should be configured with both of the DC/DNS servers in the NIC properties.  Then one being down won't be a problem.  If both are down, you've got a bigger problem than being concerned about who can reach the internet.
0
 
LVL 18

Assisted Solution

by:Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 1500 total points
ID: 42338707
Using root hints does not matter for the ISP.  The DNS server will look at itself for internal addresses and route accordingly. This is why you do not want your clients going outside to google to attempt to get name resolution.  They need to resolve internally first and if they need to go outside, let your internal DNS servers do what they were designed to do and resolve those addresses, caching the information and then making subsequent requests get the information from the cache.

If your DNS is setup properly, the DNS server will send any Internet requests to the router which will send that request out whatever pipe is working for resolution. Plain and Simple.  Your DNS server does not care if you are attached to CenturyLink today or Comcast tomorrow. All it wants is a pipe to the internet to route traffic.

Forwarders DO make a difference, so footech you have your statement backwards.  If ISP 1 goes down and you are using it's DNS servers in the forwarders, it MAY not work, but then again, just because your section of the ISP 1 pipe is down, does not mean that its DNS servers are not accessible from ISP 2's pipe.  Using root hints, as long as there is a pipe, no matter whose, it will go out to those root servers to resolve.

Again, KISS.  Don't use forwarders unless you have to and let you internal DNS Servers work like they were designed to do.
0
 

Author Comment

by:Knowledgeable
ID: 42338711
Are there any online guides or books that describe how to properly set this up?
0
 
LVL 41

Assisted Solution

by:footech
footech earned 1500 total points
ID: 42338759
From my post...
If using root hints, then it does matter which ISP you're using
that was a mis-type.  I meant to say it does not matter.

I'm glad you caught that Steve.
RE: forwarders, I specifically mentioned 8.8.8.8 and 8.8.4.4 because use of those does not depend on which ISP you're connected to.  I know some people don't like forwarders, but I'm not one of them.  Using forwarders or root hints is typically a choice made after weighing different factors:
 - by measuring responses and choosing which gives you better performance
 - whether the use of forwarders gives you any filtering benefit (for example, OpenDNS)
At one point there was also a bug with Server 2008 R2 with using root hints.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question