Internal vs External DNS

[Barry]

Ok. I'm working my way through an inherited win2k dns infrastucture here and
am finding some problems.
We run 2 internal DC's with DNS for our internal network. We also have 3
external facing DNS server in our DMZ. It looks like the last admin who set
this up has some of our internal zones set as secondary to Primary zones on
one of our external facing DNS servers in our DMZ.

It strikes me that you would want to have two seperate DNS records - one
internal and the other for exteral requests. I understand this means
maintening two sets of records but its that safer than passing records
though your firewall? What would people suggest for this set up? Internal
AD-intergrated and external have their own primary and secondary
relationships?

Thanks for your feedback

 

[Herb Martin]

Ok. I'm working my way through an inherited win2k dns infrastucture here
and am finding some problems.

We run 2 internal DC's with DNS for our internal network. We also have 3
external facing DNS server in our DMZ. It looks like the last admin who
set this up has some of our internal zones set as secondary to Primary
zones on one of our external facing DNS servers in our DMZ.

That MIGHT make sense but we cannot tell without knowing the purpose
of those zones in question....

It strikes me that you would want to have two seperate DNS records - one
internal and the other for exteral requests. I understand this means
maintening two sets of records but its that safer than passing records
though your firewall?

Generally this is true -- but notice that you cannot really use the EXTERNAL
DNS internally (those Secondaries) if there are discrepancies in the two
sets of records you need to resolve -- i.e., if you need to resolve them
differently.

What you describe is "Shadow DNS" (aka Split DNS) which is necessary
when you wish to use the SAME name for an "internal Zone" as you also
use for an "external zone".

What would people suggest for this set up? Internal AD-intergrated and
external have their own primary and secondary relationships?

By DEFINITION (and Design) an AD Integrated DNS Zone is the
Primary, or more accurately one of a set of (internal) Primaries on the
DCs since these are multi-mastered.

You cannot be using an AD Integrated DNS as a Secondary, although
you could do it the other way around where you have ordinary Secondary
zones using the AD Integrated DNS as a master.

 

[Barry]

Thanks Herb - it would seem that I have heading in the right direction then
with a shadow DNS. I did some reading on AD Intergrated and I think I'm
liking that. Not that we will have more that two DC in our network. Or
though I am thinking of putting a DC in a remote branch office sometime in
the future.

Any real positives or negitives eitherway from what I have discribed our
network topology to be?

Cheers

 

[Herb Martin]

Thanks Herb - it would seem that I have heading in the right direction
then with a shadow DNS. I did some reading on AD Intergrated and I think
I'm liking that. Not that we will have more that two DC in our network. Or
though I am thinking of putting a DC in a remote branch office sometime in
the future.

Generally you want a DC in that location if you can afford it based on
considerations like these:

1) Access to (domain) resources is local to that site

2) Your BUSINESS cannot "afford" to have that access interrupted

Any real positives or negitives eitherway from what I have discribed our
network topology to be?

I never formed a real strong picture of your network topology but will
be happy to help if you give me that.

Generally every SIGNIFICANT (you must decide based on #1 and #2 above)
LOCATION needs to a Separate AD "SITE" and it needs a DC (or more).

In general, the EXTERNAL and INTERNAL DNS should be run as separately
as feasible, and in most all cases the External DNS (for resolving your
resources
by people out on the Internet) should be (re)placed back at the REGISTRAR,
and not run by you.