Standalone DNS Question

  • Thread starter Thread starter DavidM
  • Start date Start date
D

DavidM

I need to set up a standalone DNS server for our customers and internal
users to augment our current DNS environment.

This is what we have today:

1) We have a W2K network using AD and DNS. All our internal users use this
DNS for name resolution and for accessing the Internet. There is a forward
lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
names. All our servers and clients are on multiple private 10net address.

2) We have about 50 customers (with many users per customer) that currently
accesses our production servers over their private frame circuit into us.
Today they access all our servers using a private 10net IP address.

All customers have their own network. Some of more sophisticated than
others and have their own director Internet connection. Some only have
dialup. Others have nothing and do not use DNS at all.

3) I'm creating a few web servers that our customers and internal users will
need to access. I do not want to modify our AD DNS to include DNS records
for any of our production servers. I do not want our customers to add host
records or anything related to our private IP address into their DNS server
(if they have one) . In fact, I do not want our customers hosting any
secondary DNS or managing anything on their end.

What I would like to do is create a standalone DNS server that has a brand
new private domain for this purpose. For example, mycompany.fubar. There
is no reason for this server to perform any TLD or secondary-domain lookups

In this case, I created a Forward lookup Zone and a Reverse lookup Zone for
this new domain. I added whatever "www" and other host records to point to
our various production servers. On this new DNS server, I changed its
TCP/IP DNS setting to point to itself.

If I bring up IE I can successfully access all our web applications/servers
using the new domain mycompany.fubar. Life is good.

Now comes the hard part --

1) I want our internal users to have access to this new domain...
mycompany.fubar. I simply want a way for our AD DNS server to look at this
new DNS server for anything it can't resolve.

2) I want all our customers to have access to this new domain...
mycompany.fubar. I do not want them to create a secondary zone or anything
of that nature on their network, as I want to keep everything manageable on
our network and all resource records hidden from them.

If customers have DNS server, I want them to have a way to go look at my DNS
server for anything it can't resolve.

If customers do not have DNS implemented in their environment, I want them
to add my DNS server's IP address to their TCP/IP settings on their client
PCs.

I do not what this new standalone server to resolve any other DNS queries
for our customers. I.E., if they browse the Internet, then they have to
have their own DNS server setup to resolve this. I do not want the extra
traffic.

If someone can explain to me the best way to accomplish this -- I would
greatly appreciate it.

Thanks for all your help
 
DavidM said:
I need to set up a standalone DNS server for our customers and internal
users to augment our current DNS environment.

This is what we have today:

1) We have a W2K network using AD and DNS. All our internal users use this
DNS for name resolution and for accessing the Internet. There is a forward
lookup on the AD DNS to our ISP (ATT DNS in this case) to resolve Internet
names. All our servers and clients are on multiple private 10net address.

2) We have about 50 customers (with many users per customer) that currently
accesses our production servers over their private frame circuit into us.
Today they access all our servers using a private 10net IP address.

All customers have their own network. Some of more sophisticated than
others and have their own director Internet connection. Some only have
dialup. Others have nothing and do not use DNS at all.
Click to expand...

This will not work for such customers by default.
(Individual customers may be ABLE to make it work
for themselves however that will depend on the DNS
software they use and their skills.)

Those that already use a full namespace from a common
root down (e.g., THE INTERNET) will only be able to
find your DNS server by DEFAULT if you delegate it
from parent on the Internet (Com. -> yourDomain.Com)

3) I'm creating a few web servers that our customers and internal users will
need to access. I do not want to modify our AD DNS to include DNS records
for any of our production servers. I do not want our customers to add host
records or anything related to our private IP address into their DNS server
(if they have one) . In fact, I do not want our customers hosting any
secondary DNS or managing anything on their end.
Click to expand...

To be seemless your DNS will need to be delegated on
the Internet from the parent zone -- then it will only work
for those using the Internet name space.

And since you don't appear to wish to use a public domain
name, you won't be able to do this.

For others you can setup privately but those customers
will have to forward to your server and this will only
work if they are not already using their forwarding value
internally -- OR if they have a DNS server like Win2003
(not Win2000) that allows for conditional forwarding.

In any case, such customers (not on the Internet) will
have to modify their DNS servers.
What I would like to do is create a standalone DNS server that has a brand
new private domain for this purpose. For example, mycompany.fubar. There
is no reason for this server to perform any TLD or secondary-domain lookups

In this case, I created a Forward lookup Zone and a Reverse lookup Zone for
this new domain. I added whatever "www" and other host records to point to
our various production servers. On this new DNS server, I changed its
TCP/IP DNS setting to point to itself.

If I bring up IE I can successfully access all our web applications/servers
using the new domain mycompany.fubar. Life is good.

Now comes the hard part --

1) I want our internal users to have access to this new domain...
mycompany.fubar. I simply want a way for our AD DNS server to look at this
new DNS server for anything it can't resolve.

2) I want all our customers to have access to this new domain...
mycompany.fubar. I do not want them to create a secondary zone or anything
of that nature on their network, as I want to keep everything manageable on
our network and all resource records hidden from them.

If customers have DNS server, I want them to have a way to go look at my DNS
server for anything it can't resolve.

If customers do not have DNS implemented in their environment, I want them
to add my DNS server's IP address to their TCP/IP settings on their client
PCs.

I do not what this new standalone server to resolve any other DNS queries
for our customers. I.E., if they browse the Internet, then they have to
have their own DNS server setup to resolve this. I do not want the extra
traffic.

If someone can explain to me the best way to accomplish this -- I would
greatly appreciate it.
Click to expand...

DNS on the Internet works because every zone/domain
is findable by recursing downwards from the root to any
name in that namespace.

It is very difficult to search more than one such namespaces
(except with something akin to conditional forwarding which
for Microsoft only exists in Win2003 and NOT Win2000 DNS
servers.)

Your clients will have to take specific DNS actions in most
cases.
Thanks for all your help
Click to expand...
[/QUOTE]
 
I currently have a mycompany.net domain registered on the internet. My ATT
DNS entry points to our internal 10net webserver. This way folks on
Internet can resolve name to our internal server without adding HOSTS
entries, etc.

From what you're saying, it sounds like I need to delegate my mycomany.net
domain to my DNS server (10.246.16.43) in this case. And then configure my
internal DNS server for this domain correct?




Herb Martin said:
This will not work for such customers by default.
(Individual customers may be ABLE to make it work
for themselves however that will depend on the DNS
software they use and their skills.)

Those that already use a full namespace from a common
root down (e.g., THE INTERNET) will only be able to
find your DNS server by DEFAULT if you delegate it
from parent on the Internet (Com. -> yourDomain.Com)



To be seemless your DNS will need to be delegated on
the Internet from the parent zone -- then it will only work
for those using the Internet name space.

And since you don't appear to wish to use a public domain
name, you won't be able to do this.

For others you can setup privately but those customers
will have to forward to your server and this will only
work if they are not already using their forwarding value
internally -- OR if they have a DNS server like Win2003
(not Win2000) that allows for conditional forwarding.

In any case, such customers (not on the Internet) will
have to modify their DNS servers.


DNS on the Internet works because every zone/domain
is findable by recursing downwards from the root to any
name in that namespace.

It is very difficult to search more than one such namespaces
(except with something akin to conditional forwarding which
for Microsoft only exists in Win2003 and NOT Win2000 DNS
servers.)

Your clients will have to take specific DNS actions in most
cases.
Click to expand...
[/QUOTE]
 
DavidM said:
I currently have a mycompany.net domain registered on the internet. My ATT
DNS entry points to our internal 10net webserver. This way folks on
Internet can resolve name to our internal server without adding HOSTS
entries, etc.

From what you're saying, it sounds like I need to delegate my mycomany.net
domain to my DNS server (10.246.16.43) in this case.
Click to expand...

Not on the Internet. No Internet user will ever be expected
to reach that 10.246.16.43 DNS server since the address is
not routable on the Internet.

This would just screw with your public DNS. You also
cannot have two DNS servers (or sets) that are reachable
the same way (e.g., recursing the Internet) and which return
DIFFERENT answers.

All DNS servers used by a particular client (or other
recursing DNS server) must return the SAME ANSWERS.

You can only return different answers (effectively) if there
is some way to distinguish which ones the clients will use.
And then configure my
internal DNS server for this domain correct?
Click to expand...

I doubt it -- based on the previous question.

It is likely you have some basic misunderstandings of
how DNS is resolved and this is leading you to (attempt
to) design unworkable structures that will neither perform
for what you have nor give you the new results.

You can give me a call if you wish and we can talk through
this -- the numbers are on my web site: LearnQuick.Com
[/QUOTE]
 
Thanks for the quick response, Herb. I'll do more investigation before
calling, if it become necessary.

It doesn't matter to me if normal Internet users cannot connect to the 10net
address or if its routable. I don't expect/want them to get to
mycompany.net anyway. But my customers can connect since they have the
frame circuit.

I'm just trying to make accessing our internal production servers simple for
our customers and minimize any configuration that they will have to do;
since I can't expect them to keep up with all the changes we make to our
servers and ip addresses, etc.
 
DavidM said:
Thanks for the quick response, Herb. I'll do more investigation before
calling, if it become necessary.

It doesn't matter to me if normal Internet users cannot connect to the 10net
address or if its routable. I don't expect/want them to get to
mycompany.net anyway.
Click to expand...

Ok, then that MIGHT be different. So what you would
really do is just alter THOSE EXISTING DNS servers
to return the correct addresses.
But my customers can connect since they have the
frame circuit.

I'm just trying to make accessing our internal production servers simple for
our customers and minimize any configuration that they will have to do;
since I can't expect them to keep up with all the changes we make to our
servers and ip addresses, etc.
Click to expand...
 
Herb -- this is what I've done and it appears to be working.

My ISP (ATT in this case) has delegated a few subdomains on their DNS server
to point to my internal DNS server of 10.246.16.43. For example:

mydomain.net is on ATT DNS (which mydomain.net is a registered domain name)

They delegated
subdomain1.mydomain.net
subdomain2.mydomain.net
subdomain3.mydomain.net

They then added a "clue" record "A" record for ns1.mydomain.net and
ns2.mydomain.net to point to 10.246.16.43.

I then created a forward lookup zone for subdomain1.mydomain.net,
subdomain2.mydomain.net, and subdomain3.mydomain.net along with any required
host entries that I want under that subdomain.

So far -- everything appears to be working. I'm using my DNS server to
resolve the production servers on my name. We did not point any of our
internal servers to this new DNS server. It's querying thru Internet land.

The next step is to have my customers that have an internet connection try
the new URLs.

For any customers that do not have an Internet connection or a DNS server,
then I will have them add my primary/secondary DNS server on my internal
network to their TCP/IP settings.

This looks like it's going to work fine.

I just now have to remember to renew my mycompany.net domain for 5 or 10
years before I forget and someone scarfs it up and then all my customers
will be getting a porn site as their home page instead of the home page on
my production servers.

I hope all this makes sense. It was a bit confusing for me.
 
DavidM said:
Herb -- this is what I've done and it appears to be working.

My ISP (ATT in this case) has delegated a few subdomains on their DNS server
to point to my internal DNS server of 10.246.16.43. For example:

mydomain.net is on ATT DNS (which mydomain.net is a registered domain name)

They delegated
subdomain1.mydomain.net
subdomain2.mydomain.net
subdomain3.mydomain.net
Click to expand...

Ok, and no one can reach that DNS UNLESS they can
route directly to you or through a shared ISP who will
support the 10-net. That is, it won't route across the
backbone routers of the Internet.
They then added a "clue" record "A" record for ns1.mydomain.net and
ns2.mydomain.net to point to 10.246.16.43.
Click to expand...

Huh? Clue? That's probably GLUE record. An NS and A
record pair are usually referred to as Glue Records (or Delegation
records) when delegating -- the A is not always needed in some
special cases.
I then created a forward lookup zone for subdomain1.mydomain.net,
subdomain2.mydomain.net, and subdomain3.mydomain.net along with any required
host entries that I want under that subdomain.
Click to expand...

Ok. Anyone who can reach BOTH your ISP and your
10-net DNS server can resolve those addresses.
So far -- everything appears to be working. I'm using my DNS server to
resolve the production servers on my name. We did not point any of our
internal servers to this new DNS server. It's querying thru Internet land.

Ok.

The next step is to have my customers that have an internet connection try
the new URLs.
Click to expand...

And they will fail UNLESS they can already route
to your 10-net, but likely succeed if they can.
(Which is what I think you want.)
For any customers that do not have an Internet connection or a DNS server,
then I will have them add my primary/secondary DNS server on my internal
network to their TCP/IP settings.
Click to expand...

What if they have their own DNS servers?
(Use forwarding in SOME cases but...)

If they don't usse the Internet, have their own DNS,
AND already use the forwarder setting (not that common
but it does occur) then this won't work.
This looks like it's going to work fine.

I just now have to remember to renew my mycompany.net domain for 5 or 10
years before I forget and someone scarfs it up and then all my customers
will be getting a porn site as their home page instead of the home page on
my production servers.
Click to expand...

Most of the registrars send you notices. said:
I hope all this makes sense. It was a bit confusing for me.
Click to expand...

You were mostly confusing your question with HOW you
were going to do it, rather than what you really wanted to
accomplish at first.
 
Back
Top