Public Namespace and Private Network

[dm4714]

I registered a domain called mycompany.com.

I have a number of internal customers that need to access my internal
website. Each customer has a circuit into our business for direct access.

I have set up a DNS server for mycompany.com and created a primary zone. I
have placed a few A records to point to various servers that we have.

Since most of our customers have Internet access already, they can use the
public namespace to resolve the DNS names to private IP addresses that they
can access through their internal network to us.

Testing would seem to indicate this works.

I will also have a secondary server on our internal network for customers
without Internet access to point to.

My question is this.... does anyone see anything wrong with the scenario?
I mean, my network and my customers networks are their responsibility. I
cannot expect them to install DNS servers, secondary zones, or anything of
the like on their side. I'm trying to make this a seamless transition for
them with respect to accessing our servers.

Yes, they could use HOSTS files, but that defeats the purpose as there are
hundreds of clients at each of our customers. Some customers may have their
own DNS that forwards to their ISP. Others may not have Internet access at
all which is why I wish to have an internal secondary that they can point
use to resolve resouces within my zone.

Are there any security issues that I need to be concerned with?

I realize someone could possibly see www.mycompany.com points to a server on
the 192.168.33.x network. But this should not be a problem as this is
non-routable through Internet.

Opinions?

 

[Herb Martin]

I registered a domain called mycompany.com.

I have a number of internal customers that need to access my internal
website. Each customer has a circuit into our business for direct access.

Didn't we just go through this a couple of days ago?

I have set up a DNS server for mycompany.com and created a primary zone. I
have placed a few A records to point to various servers that we have.

Since most of our customers have Internet access already, they can use the
public namespace to resolve the DNS names to private IP addresses that they
can access through their internal network to us.

Ok, so mycompany.com is publicly delegated from
Com to a DNS server that every customer can reach?

Ok, as long as their routing is correct this much works.

Testing would seem to indicate this works.

Makes sense.

I will also have a secondary server on our internal network for customers
without Internet access to point to.

Ok, that it is a seconcary is irrelevant to them (only
meaningful to you.)

(You probably should disable recursion on this
DNS server -- if it doesn't have the answer you
don't want it going to the Internet since they don't
"do Internet". And this should be the FULL Disable
Recursion in the Advanced tab which really means
don't process recursive queries and therefore don't
Recure and DON'T EVEN forward. This DNS server
isn't going to work for your users that NEED
Internet resolution now.)

My question is this.... does anyone see anything wrong with the scenario?

So you will instruct them to use YOUR DNS server
for their OWN CLIENTS and they will be unable to
use their own DNS?

Or if they have only one zone they will and their clients
use their own DNS server, will you have them forward
to you?

Should work.

What about clients who have multiple zone-trees, but no
Internet access?

They will have to include you into whatever scheme they
currenty use to hook the trees together, either holding a
secondary for your zone (you must allow this) or some
substitute OR by delegating from their internal root
down to your DNS server that they may use.

I mean, my network and my customers networks are their responsibility. I
cannot expect them to install DNS servers, secondary zones, or anything of
the like on their side. I'm trying to make this a seamless transition for
them with respect to accessing our servers.

You are expecting that they will have IP and have no
DNS servers of their own?

That is an unlikely assumption on a network with routers,
but possible.

And they are going to have to change every one of their
clients to use your DNS server (which shouldn't be a big
deal if they have no DNS server.)

Yes, they could use HOSTS files, but that defeats the purpose as there are
hundreds of clients at each of our customers. Some customers may have their
own DNS that forwards to their ISP. Others may not have Internet access at
all which is why I wish to have an internal secondary that they can point
use to resolve resouces within my zone.

Are there any security issues that I need to be concerned with?

It's not really a security issue since presumably your
network is already open to them for something more
sensitive than your DNS names....

I realize someone could possibly see www.mycompany.com points to a server on
the 192.168.33.x network. But this should not be a problem as this is
non-routable through Internet.

Correct. If I see this (from outside) and cannot route to it
(I cannot from here) then I will at best waste my time
trying.

Opinions?

It's pretty goofy (seriously it has a flaky feel, to someone
who has spent a long time consulting and designing solution)
but it CAN work.

If it meets your needs -- your biggest problem will likely
be those people who say they have no Internet access and
then next week put one into their system.

Then they won't be able to figure out why their clients
pointed at you no longer work -- OR they will point
them to themselves and break access to you...or...

Worst of all, they will put BOTH sets of DNS servers
on the client and get RANDOM results that work one
day for one client and not for another, and change the
next day.

 

[dm4714]

Thanks for your response, Herb. See below

On other comment - currently today, all my customers access my servers using
IP address. Trying to implement DNS seems like it is going to be more
demanding that just handing them a static IP and hoping you never try to
consolidate or move servers around.

My customers network is a closed environment - other than them having the
ability to access servers on my network and possibly the Internet using
their ISP.

My network is a closed environment and we have the ability to access the
Internet.

I've learned a lot about DNS in the past week, but I'm almost regretting
that I recommended that we use this for our internal name resolution between
our customers. Me and my big mouth!

I should have said... D-N-S what?

Didn't we just go through this a couple of days ago?


Ok, so mycompany.com is publicly delegated from
Com to a DNS server that every customer can reach?

Yes. Originally, my plan was to have a DNS server on the inside of the
private network. The only problem with this was that some customers
forwarded their Internet access to their ISP -- which would never be able to
perform an iterative lookup to our private server after querying root, gTLD
server. It would fail trying to connect to mycompany.com DNS server.

Ok, as long as their routing is correct this much works.


Makes sense.


Ok, that it is a seconcary is irrelevant to them (only
meaningful to you.)

(You probably should disable recursion on this
DNS server -- if it doesn't have the answer you
don't want it going to the Internet since they don't
"do Internet". And this should be the FULL Disable
Recursion in the Advanced tab which really means
don't process recursive queries and therefore don't
Recure and DON'T EVEN forward. This DNS server
isn't going to work for your users that NEED
Internet resolution now.)

Yes, on my internal DNS server, I have disabled recursion. This way, if
they do not have Internet access and key in microsoft.com, my DNS server
will not try and resolve the name for them. It will only look for names
that are within my server's zone files.

So you will instruct them to use YOUR DNS server
for their OWN CLIENTS and they will be unable to
use their own DNS?

They will not use my internal DNS server unless they do not have have
dedicated internet access. If they do have a DNS without Internet access,
then my plan is for them to add a forward lookup to my server.

If their clients have to put DNS entires to my server, then they will only
have DNS lookup for my zone. Otherwise, if they already have DNS entries
for their internal server (without Internet access), they will have to add a
forward lookup to my internal server.

Or if they have only one zone they will and their clients
use their own DNS server, will you have them forward
to you?

This is what I would like to do. Do multiple zones on their server matter?

Should work.

What about clients who have multiple zone-trees, but no
Internet access?

They will have to include you into whatever scheme they
currenty use to hook the trees together, either holding a
secondary for your zone (you must allow this) or some
substitute OR by delegating from their internal root
down to your DNS server that they may use.

You've lost me here. I suppose some of them could have an AD DNS
configuration -- and it may cause me problems. I'm hoping they since my
name is publically registered, that they can simply add a forward looking to
my server (without recursion enable) or some sort of "conditional
forwarding" for my domain.

I really do not want to entertain the thought of my customers becoming
secondaries to my zones. This would require more maintenance for all
involved, in addition to publishing them a list of everything we have setup
on our DNS.

You are expecting that they will have IP and have no
DNS servers of their own?

I did not mention this, but all our customers have IP and they currently
talk to our networking with it.

That is an unlikely assumption on a network with routers,
but possible.

And they are going to have to change every one of their
clients to use your DNS server (which shouldn't be a big
deal if they have no DNS server.)
Agreed.




It's not really a security issue since presumably your
network is already open to them for something more
sensitive than your DNS names....


Correct. If I see this (from outside) and cannot route to it
(I cannot from here) then I will at best waste my time
trying.


It's pretty goofy (seriously it has a flaky feel, to someone
who has spent a long time consulting and designing solution)
but it CAN work.

These sorts of things for me, in my experience, never seem easy because of
the environment that I work in. Seems like some of the basic concepts in
books are overly simplified and real-world solutions are never truly given.
I mean, I wish I could just have to internet facing DNS servers and be done
with it. But unfortunately, all my customers do not have the same network
infrastructure and some are less sophisticated than others. Yes, some of
our customers only use dial-up for Internet access.

If it meets your needs -- your biggest problem will likely
be those people who say they have no Internet access and
then next week put one into their system.

Then they won't be able to figure out why their clients
pointed at you no longer work -- OR they will point
them to themselves and break access to you...or...

Worst of all, they will put BOTH sets of DNS servers
on the client and get RANDOM results that work one
day for one client and not for another, and change the
next day.

I would agree. This is a risk and this will have to be communicated to all
customers once DNS environment is implemented.

 

[Herb Martin]

They will not use my internal DNS server unless they do not have have

dedicated internet access. If they do have a DNS without Internet access,
then my plan is for them to add a forward lookup to my server.

Not everyone can use your as a forwarder even if they have
no Internet access (this might not affect your but it is certainly
possible) if they already use their forwarders internally OR
if they have their own "." root zone for resolving multiple
trees.

You might ignore these cases but you should do so consciously,
and not be shocked if it occurs.

This is what I would like to do. Do multiple zones on their server

matter?

NOT if they are all on (all of) their DNS servers or if
they have some scheme where the "forwarder setting"
is not already in use.

NOR if they have Win2003 (or another DNS server) which
offers conditional forwarding. (Were all of your customers
to run Win2003 DNS you really wouldn't have a problem.

But there is really nothing wrong with allowing them to define
and hold secondaries for your zone (coming off the server they
would use anyway.)

You've lost me here. I suppose some of them could have an AD DNS
configuration -- and it may cause me problems.

That's not the issue (and I covered it again above.)

The issue is if they have NO AVAILABLE forwarder setting
(because they use it for something else) OR if they have an
internal ROOT "." zone.

I'm hoping they since my
name is publically registered, that they can simply add a forward looking to
my server (without recursion enable) or some sort of "conditional
forwarding" for my domain.

Conditional forwarding doesn't exist in Win2000 and lower,
nor necessarily in all versions of other DNS servers. It is a
relatively new feature.

I really do not want to entertain the thought of my customers becoming
secondaries to my zones.
Why?

This would require more maintenance for all
involved, in addition to publishing them a list of everything we have setup
on our DNS.

No really. It is about as hard to set a forward, especially
a conditional forwarder, as it is to set a secondary.

This way if they switch to using the Internet, it doesn't
immediately screw them up.

And for those running Win2003 with a Stub zone capability
that will be another option.

I did not mention this, but all our customers have IP and they currently
talk to our networking with it.

But do you expect they (any of them) have IP but no DNS?

Agreed.

And the first time someone ADDS Internet access to one
or a 100 clients they will probably screw it up by putting
BOTH DNS (public AND you) in there. <grin>

Not your fault, but be prepared to help.

These sorts of things for me, in my experience, never seem easy because of
the environment that I work in. Seems like some of the basic concepts in
books are overly simplified and real-world solutions are never truly

given.

This is NOT a common situation -- they only reason that
I can comment on it accurately is that I know the 10-12
simple rules of DNS and can just run the resolution in my
head to see what will work and what won't.

All of the concepts I am giving you are based on COMMON
principles no matter how complicated the design.

Analogy:
26 letters in the English language -- 100,000 to a Million words, but
an infite number of books are possible.

I mean, I wish I could just have to internet facing DNS servers and be done
with it. But unfortunately, all my customers do not have the same network
infrastructure and some are less sophisticated than others. Yes, some of
our customers only use dial-up for Internet access.

Which is not the fault of DNS (or you) but it just part of
the burden your company CHOSE to assume to have these
customers (really.)

I would agree. This is a risk and this will have to be communicated to all
customers once DNS environment is implemented.

Mostly if I can prepare you for this you will recognize it
in the first 20 minutes instead of days or weeks later.

It won't help that much to "communicate it" (except as CYA)
because those that will do this will do it anyway.

You will have to CATCH it when they start complaining OR
teach their Admins (as I am trying to help you) to do so.