Need help on setting up win2000 dns

[Yui]

Hi Herb,
Thank you for your reply. Please see my comments inline below:

You summary below is most confusing but guessing
based on questions that have been asked by others
it seems that you are perhaps trying to use the same
DNS server for both INTERNAL DNS server and
EXTERNAL DNS.

While it may be (with much difficulty) possible to
do this with MS, or even readily doable with BIND
this is NOT a good architecture and seldom gives
reliable and secure results.

Sorry for the confusion, but YES, I am trying to use the same DNS
server for both Internal DNS server and External DNS. I know it would
be difficult to try to set it up with MS, but could you please give me
any extra information how to realize this setting, if anything
available?

External(Outside): Firewall

[External<->DMZ - NAT (60.x.x.x <-> 10.x.x.x)

DMZ: DNS with private IP (10.x.x.x)
- Service - Only DNS
- NIC x 1
- DNS Zone File, etc., -> Global IPs
[External<->Trusted - NAT (60.x.x.x <-> 192.x.x.x]

If you aren't trying what I guessed the the NAT (probably)
has nothing to do with your DNS -- certainly for internal
use only.

Are you saying you have the Primary for the Zone on the DC,
and the Secondary for the zone supporting AD on another
box?

As far as AD structure is concerned, yes.

What doesn't work?

As I mentioned above, I am trying to use the same DNS server for both
Internal DNS server and External DNS. The DNS server works fine as an
Internal DNS server, however does not work as an External DNS server.
I can not reach the DNS server from the outside.

What you are trying to accomplish?

Again, I am tring to setup the same DNS server for both Internal DNS
and External DNS.

Please advise,

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Again, I am tring to setup the same DNS server for both
Internal DNS and External DNS.

Sorry you can't use the same MS DNS server for Public and Private domains of
the same name. You will have to split this into two different DNS servers.
One with a public zone publishing only public records, one with the private
zone publishing private records for the internal machines.
BIND is supposed to be capable of this.

 

[Herb Martin]

In

Sorry you can't use the same MS DNS server for Public and Private domains of
the same name. You will have to split this into two different DNS servers.

I agree with Kevin, but allow me to clafify: You CAN do it,
but it is a bad idea and always going to be a security risk from
at least two issues.

One with a public zone publishing only public records, one with the private
zone publishing private records for the internal machines.
BIND is supposed to be capable of this.

Yes it is but....

BIND will allow different VIEWS for different clients
(based on filter lists) but that is NOT a sufficient reason
for eschewing the advantages of MS DNS internally.

I recommend, and am pretty sure Kevin agrees, you put you
PUBLIC DNS back at the Registrar (or ISP if you must.)

You're not even following the business rules of the registration
process unless you have TWO or more DNS servers for the
public resolution.

Registrars like Godaddy.com and Register.com are perfectly
willing to provide this service and you likely already paid
for it.