Bartly said:
100 node, 8 server domain with 2 win2003 DC's. The DNS on each DC points to a
third DNS server that forwards to our ISP DNS for external resolution. Works
great.
Very normal, especially if that 3rd-Forwarder DNS is
on your Firewall or close to it.
Question: The third DNS server is going away. Before I install another DNS
server to replace it, I wonder if I really need this setup?
I prefer it. You CAN allow the DCs to visit the ISP -- that
isn't usually to large a security risk, but it is slightly safer
to keep the DCs INSIDE your network, and it also simplifies
your firewall administration. (You don't have to make
exceptions for the DCs).
It also consolidates your DNS cache (any client from either
internal DNS server will benefit from the consolidated cache
and it might work a BIT faster.)
Can I just set
the DNS on each DC to forward to the external DNS? Or use one as the
forwarder?
Yes.
Or use root hints?
I am opposed to this but it is not a major crime.
You are basically telling your DCs it is ok to visit
the ENTIRE INTERNET, including those wonderful
places like ns1.ReallyEvilCrackers.com.
It also bypasses the (hopefully) much more populated
cache of the ISP DNS, and requires all the actual
queries to traverse your WAN separately rather than
sending one request to the ISP and letting it deal with
the requests, and the security issues.
IF you eliminate the 3rd DNS then you should also
implement "do not use recursion" (ONLY on the
fowarders tab.)
You do recognize that the 3rd DNS server does NOT
need to have any zone, and probably should NOT have
any. It should be a caching only DNS server and NO
client should point to it in the NIC-IP settings (probably
it should not even point to itself if it is a domain machine.)
All INTERNAL DNS clients must point solely at the
fully populated INTERNAL DNS servers.
