Forwarding or Stub Zones?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi

I am running a two level DNS on my network.

External DNS on my DMZ which is accessed by the internet and is used by the
other servers on the DMZ to resolve.
Internal DNS on my LAN which is used only to resolve the private addresses
of my internal machines, this then forwards to the external DNS to resolve
internet addresses.

The servers on my DMZ need to resolve names of machines on my LAN using DNS,
such as SQL servers or backend Exchange.

How can I best allow DNS on the DMZ to resolve the addresses? Conditional
Forwarding, Stub zones, or something else?

Either way that leaves my external DNS capable of resolving internal IP
addresses to anyone that queries the zone name of my internal LAN. Which I
think is a bit insecure.

Anyone have a good idea of the best way to deal with this?

Thanks
M
 
We setup our DMZ boxes to resolve using the internet DNS server. To much
trouble to maintain an independent DMZ DNS/hostfiles...

dp
 
We host our own domains so using the ISP isn't an option.

Thanks for the quick response though.

M
 
In
huff-n-puff said:
We host our own domains so using the ISP isn't an option.

Thanks for the quick response though.

M
Click to expand...


I believe what Dan is saying he configured all his DMZ machines to ONLY use
the internal DNS servers, and not your external or ISP's DNS. This way they
all resolve the internal stuff. If they need external resolution, assuming
your internal DNS are configured with forwarding, they will still resolve
outside names.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
My DMZ has approx 30 servers providing various services.
We have 3 DNS servers on the DMZ providing approx 70 DNS zones to the
internet.
The servers on the DMZ do not query our ISP they query the DNS servers on
our DMZ.

Just to clarify your suggestion.

Set all the servers on the DMZ to query the LAN DNS servers which would in
turn forward the request to the DNS servers on the DMZ then pass the response
back to the DNS servers on the LAN which would in turn pass the response back
to the server on the DMZ.....

Would that not create a hell of a lot of traffic on our firewall?
 
In
huff-n-puff said:
My DMZ has approx 30 servers providing various services.
We have 3 DNS servers on the DMZ providing approx 70 DNS zones to the
internet.
The servers on the DMZ do not query our ISP they query the DNS
servers on our DMZ.

Just to clarify your suggestion.

Set all the servers on the DMZ to query the LAN DNS servers which
would in turn forward the request to the DNS servers on the DMZ then
pass the response back to the DNS servers on the LAN which would in
turn pass the response back to the server on the DMZ.....

Would that not create a hell of a lot of traffic on our firewall?
Click to expand...

Those 3 DNS servers in your DMZ are essentially "ISP" or "external" DNS
servers. They do NOT hold your internal data, nor do you want them to.

The suggestion is correct. If you want, you can setup a wholly separate DNS
in the DMZ that will have a secondary zone(s) from an internal DNS. Then
setup a forwarder from that to your others or ISP's. That config will reduce
traffic across your firewall. But to get what you want to accomplish, you
apparently need to do it this way, well, one way or another, and not use
your public DNS servers, because you need to get to your internal resources.

Logical?


Ace
 
Back
Top