How to limit external DNS clients?

  • Thread starter Thread starter Elesus
  • Start date Start date
E

Elesus

Hello All,

first, I'd like to discribe the situation:

we have one Microsoft DNS server inside our local network and one in the
DMZ. The DMZ DNS works as a forwarder for the internal DNS. Also DMZ DNS
hosts some zones accessible from the Internet.

We need to: 1)Leave the DMZ DNS for resolving DNS names for the InternAl
users (as a forwarder). 2)We need DMZ DNS to resolve names for the zones it
hosts, but not to do recursive lookups for the InternEt users.

Is there a way of doing it with Microsoft DNS? I do not see options for
limiting resolving for different interfaces. It seems to me Bind can do
that.

Any Ideas?
Phanx in advance...
 
Elesus said:
Hello All,

first, I'd like to discribe the situation:

we have one Microsoft DNS server inside our local network and one in the
DMZ. The DMZ DNS works as a forwarder for the internal DNS. Also DMZ DNS
hosts some zones accessible from the Internet.
Click to expand...

Ok, it should not generally hold the zone for
internal services or internal versions of any
zones.
We need to: 1)Leave the DMZ DNS for resolving DNS names for the InternAl
users (as a forwarder).
Click to expand...

The forwarder should NOT be used by any internal
clients -- they should ONLY use the internal DNS
server (set) that contains the full information.

The internal DNS server(s) should forward to the
DMZ server.

2)We need DMZ DNS to resolve names for the zones it
hosts, but not to do recursive lookups for the InternEt users.
Click to expand...

You cannot do this with the MS DNS server.

It will either recurse for all, forward for all, or neither for all.

Disabling recursion in the Advanced tab disables ALL
recursion AND all forwarding so this won't work.
Is there a way of doing it with Microsoft DNS? I do not see options for
limiting resolving for different interfaces. It seems to me Bind can do
that.
Click to expand...

No, but the best idea would be to move all your EXTERNAL
zones back to the "Registrar" DNS so that your DMZ DNS
can be strictly used for your own purposes.

And you really are supposed to have TWO (or more) Public
DNS servers -- it is a business rule in most zones.
 
Back
Top