DNS Question..

  • Thread starter Thread starter Wes
  • Start date Start date
W

Wes

Is there a way in Win2K DNS to have a host record resolve
to a different IP address for users behind the firewall
vs. those outside the firewall?

I know I could do this if I set up 2 DNS servers, but I
was hoping to do this within the same server. Maybe by
subnet or security groups..?

Thanks in advance,

Wes
 
Is there a way in Win2K DNS to have a host record resolve
to a different IP address for users behind the firewall
vs. those outside the firewall?
Click to expand...

No, not directly as in BIND (9 at least, and 8 I think).

You must use another DNS server, e.g., BIND 9, or
use two Windows DNS servers to have the "same" zone
give different answers.
I know I could do this if I set up 2 DNS servers, but I
was hoping to do this within the same server. Maybe by
subnet or security groups..?
Click to expand...

Nope -- there is nothing equivalent to BIND ACLs (which
for Windows users reading this, are completely different
from security ACLs in Windows) and although you can
specify a "listen on" address set, you cannot run "two copies"
of MS DNS or otherwise differentiate the answers from
the single server.

In several ways MS DNS (Win2000+) is superior to BIND
and in most areas equivalent to BIND, but this is NOT one
of those areas.
 
Herb is right.

However if you have multiple host records for the same
name with differnet IPs, and have subnet mask ordering
enabled (the default), DNS will attempt to order the IPs
in a reply so that the "closest" (classful network) to the
requester's IP appears first.

Whether this helps you depends on what you are
trying to do.

Steve Duff, MCSE
Ergodic Systems, Inc.
 
Steve Duff said:
Herb is right.

However if you have multiple host records for the same
name with differnet IPs, and have subnet mask ordering
enabled (the default), DNS will attempt to order the IPs
in a reply so that the "closest" (classful network) to the
requester's IP appears first.

Whether this helps you depends on what you are
trying to do.
Click to expand...

Whoo, had to think about that for a bit, but then realized
that while you are technically correct, this would seldom
hold up in real networks -- and probably not reliably if
it seemed to work.

There will be no preference for external name resolution
IF the web site has a random Internet or a private address.
(Random includes a "dedicated rental server" somewhere
else on the Internet or even the IP of the DNS server).

There will be no preference if the internal machines are
in a different range than the DMZ (e.g., the DMZ uses
172.16.x.y and the internal uses 10.x.y.z)

And any machine with but one address will be show
to all clients the same (such as an internal server which
shouldn't even appear externally resolvable.)

Don't do it.

BIND wins here.

"Views" (using ACLs) rule for this sort of thing, and I
wish it weren't so.

BTW, I actually use a BIND (free) server on my gateway
now, and MS internally for everything else due mostly to
this behavior (and being able to preload the cache with
"dead end" resolution for known "bad places.")
 
Back
Top