DNS Setup Question

  • Thread starter Thread starter BenignVanilla
  • Start date Start date
B

BenignVanilla

I have DNS configured on my network, but I am not a DNS expert so I am
wondering if my setup is correct, or the most efficient. Any feedback would
be appreciated.

I have a firewall PC that is running w2k, with winproxy to share the
internet for the LAN. I have one NIC for the Internet, and a second NIC for
the LAN segment. I also have a domain controller on the network which has
DNS setup, with a forwarder to the firewall machine.

All clients on the network have the domain control set as the primary DNS,
and the firewall set as the secondary DNS. All clients also have the
firewall PC set as their gateway.

My questions,

Should the LAN NIC in the firewall be set to use itself for DNS, or should
it point to the primary and then itself as a secondary like all other
clients? Should it point to itself as the gateway as the clients do?

Should the domain controller point to the firewall and then to itself for
DNS? or to itself only?
 
In
BenignVanilla said:
I have DNS configured on my network, but I am not a DNS expert so I am
wondering if my setup is correct, or the most efficient. Any feedback
would be appreciated.

I have a firewall PC that is running w2k, with winproxy to share the
internet for the LAN. I have one NIC for the Internet, and a second
NIC for the LAN segment. I also have a domain controller on the
network which has DNS setup, with a forwarder to the firewall machine.

All clients on the network have the domain control set as the primary
DNS, and the firewall set as the secondary DNS. All clients also have
the firewall PC set as their gateway.

My questions,

Should the LAN NIC in the firewall be set to use itself for DNS, or
should it point to the primary and then itself as a secondary like
all other clients? Should it point to itself as the gateway as the
clients do?

Should the domain controller point to the firewall and then to itself
for DNS? or to itself only?
Click to expand...

Incorrect, ALL domain members MUST use the DC only for DNS. Do not use
external DNS in ANY posistion.
The DNS on the DC will handle all external DNS resolution, either through
recursion or by a forwarder.
For recursion or forwarders to work you usually must delete the "." forward
lookup zone if one exists. If the "." zone exists, you cannot enable a
forwarder and recursion won't work unless you have delegated the zone to
internet roots.
 
Kevin D. Goodknecht said:
In

Incorrect, ALL domain members MUST use the DC only for DNS. Do not use
external DNS in ANY posistion.
The DNS on the DC will handle all external DNS resolution, either through
recursion or by a forwarder.
For recursion or forwarders to work you usually must delete the "." forward
lookup zone if one exists. If the "." zone exists, you cannot enable a
forwarder and recursion won't work unless you have delegated the zone to
internet roots.
Click to expand...

So you are saying for the best results, I should have all LAN NIC's point to
the Domain Controller, and have it deal with the firwall (providing
resolution from ISP) for forwarding? No clients will point to the Firewall
for DNS even as a secondary? What happens if the domain controller goes
down? Clients will then not be able to resolved anything correct?

BV.
 
In
BenignVanilla said:
So you are saying for the best results, I should have all LAN NIC's
point to the Domain Controller, and have it deal with the firwall
(providing resolution from ISP) for forwarding?
Click to expand...
That is correct there are many post concerning this very same question.
No clients will point
to the Firewall for DNS even as a secondary?
Click to expand...
Not even as secondary (Alternate) you have to understand how the TCP/IP
stack uses DNS. If the preferred DNS times out (1 sec) the stack moves the
alternate DNS to the top of the list. If that is your ISP's DNS, it cannot
resolve your local domain, so when you make a query to your ISP's DNS for a
local machine, if it does not time out but instead answers NXDOMAIN (not
found) the query fails and it will not switch back to your local DNS. So you
will start getting network errors and slow performance.
What happens if the
domain controller goes down?
Click to expand...
Believe me if the DC goes down internet resolution will be the least of your
worries. You won't be able to do anything because the DC won't be there to
authenticate anything you do.
If it is down for very long you'lll just have to log on to the local machine
and then you can put your ISP's DNS in temporarily for external Email. that
is as long as you don't need access to domain resources like network
printers and shares.
Clients will then not be able to
resolved anything correct?
Click to expand...
See previous answer.
 
Not even as secondary (Alternate) you have to understand how the TCP/IP
stack uses DNS. If the preferred DNS times out (1 sec) the stack moves the
alternate DNS to the top of the list. If that is your ISP's DNS, it cannot
resolve your local domain, so when you make a query to your ISP's DNS for a
local machine, if it does not time out but instead answers NXDOMAIN (not
found) the query fails and it will not switch back to your local DNS. So you
will start getting network errors and slow performance.
Click to expand...
<snip>

I never realized this. I made some changes last night. The network was done
for awhile, as I guess I screwd something up. At about 1:30am, I got control
back and things seemed faster. I need to document it now, and post to verify
I have it correct.

Until then, thanks for your assistance.

BV.
 
Back
Top