DNS forwarding

Discussion in 'DNS Server' started by Elías Manchón, Apr 1, 2008.

  1. Hello Folks!!.

    I have on my domain 2 DCs and this DC have enabled DNS forwarding to my
    telecomunication Provider. Now, I have implemented a DMZ with two firewall.
    I need Know if I must set up a DNS Server in my DMZ with this forwarders and
    that my DCs apoint at this.

    Is this the solution?.

    Thanks.
     
    Elías Manchón, Apr 1, 2008
    #1
    1. Advertisements

  2. No need to do that.
    Just allow the outbound DNS requests on the firewall (or you might allow Any
    outbound). The firewall permits the inbound reply.
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony [MVP], Apr 1, 2008
    #2
    1. Advertisements

  3. This is dangerous. You are allowing the traffic from client of the LAN to
    Internet crossing the DMZ directly.

    Greetings!!
     
    Elías Manchón, Apr 1, 2008
    #3
  4. Read inline please.

    In
    The solution to what?
    Are you having a problem?
    You can set up a DNS server in your DMZ and use it for a caching only DNS
    server, the DNS server in your DMZ must be able to access any IP on the
    internet on ports 53 UDP and TCP. Then you can use it for a Forwarder with
    "Do not use recursion for this domain" enabled. This setting forces your
    internal DNS servers to wait for the forwarder to return an answer. If you
    don't check this box, then you have to allow your internal DNS access to all
    IPs on the DNS ports because when the forwarder timeout expires, DNS will
    begin using its root hints to resolve names.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 1, 2008
    #4
  5. Ok Kevin, something like that I have done. But I have a doubt, when you say:

    "Then you can use it for a Forwarder with "Do not use recursion for this
    domain"".

    Where must I mark this box?. On the forwarders of my DNS of the DMZ or on
    the forwarder of the 2 Internals DNS that point to first.

    Greetings
     
    Elías Manchón, Apr 1, 2008
    #5
  6. Anthony [MVP], Apr 1, 2008
    #6
  7. The outbound DNS not is Dangerous, but in the near feature, I will decide to
    public my DNS Server ... The best practice dictates that the DMZ DNS box be
    completely separate from
    internal DNS. This box should have root hints on it or forwarders set up for
    non-authoritative name resolution.

    Greetings!!
     
    Elías Manchón, Apr 1, 2008
    #7
  8. Read inline please.

    In
    On the Forwarder on your internal DNS.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 1, 2008
    #8
  9. OK, that's a completely different question.
    If you are really sure that you need to provide a name server on the
    internet (instead of just asking the registrar to handle it), then:
    - set it up with only the zones it is authoritative for
    - disable recursion so it does not attempt to resolve anything else if
    queried
    - no need to connect your LAN clients (DC's) to it at all. They can just use
    the ISP forwarders or root hints as before
    - if you really wanted, you could set up secondaries or conditional
    forwarders or stub zones on the internal DNS for the zones you are
    authoritative for.
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony [MVP], Apr 1, 2008
    #9
  10. The forwarder on the DMZ is configured on a server that it has the next
    software installed:

    Microsoft Windows 2003 Server
    Microsoft ISA server 2006.

    There are no problems with this configuration, really?

    Greetings!!
     
    Elías Manchón, Apr 1, 2008
    #10
  11. Thanks Anthony, I will take into account it.

     
    Elías Manchón, Apr 1, 2008
    #11
  12. Read inline please.

    In
    You are jumping around here. All internal clients must use internal DNS,
    usually the DC.
    If ISA is in Proxy mode, it becomes a DNS proxy and should be used as the
    forwarder.
    For DNS on the DCs, on the Forwarders tab, of DNS Properties in the DNS
    Management console, set forwarder to ISA IP, then check the "DO not use
    recursion for this domain" check box for this forwarder.

    If ISA is in firewall mode, set a rule to allow the DNS on the DCs access to
    an external DNS as a forwarder. Then use that DNS on the DCs as a forwarder,
    but still check the box I mentioned. If you don't check the box, the DCs
    will need access to all IPs on the internet on port 53 UDP and TCP.

    If I remember correctly ISA has two modes, firewall an proxy configure your
    settings accordingly. That is about all I can tell you on configuring ISA,
    further configuration questions should be posted in the ISA group.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 1, 2008
    #12
  13. Hi Kevin,

    My ISA Server is in proxy mode. I think that I don't need to do nothing on
    ISA Server, really?.

    Thanks.
     
    Elías Manchón, Apr 2, 2008
    #13
  14. I have tested. If I check "DO not use recursion for this domain" on the
    forwarders of the Internal DNS. Not work the tracert command on clients of
    LAN.
     
    Elías Manchón, Apr 2, 2008
    #14
  15. Read inline please.

    In
    Are you saying that if you check this box you don't get external resolution?
    If that is the case, your forwarder isn't answering and DNS is failing over
    to its Root Hints. What servers do you have for your forwarder?



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 2, 2008
    #15
  16. I have two DCs on internal LAN, both of them have configure the forwarders
    with the same IP address that it belong to server on DMZ.
    In turn, This server on DMZ have configured two forwarders, this forwarders
    are the DNS of my teleco providers.

    All servers are Windows 2003 Server Standard Edition.

    Best Regards.
     
    Elías Manchón, Apr 2, 2008
    #16
  17. Read inline please.

    In
    Sounds fine with me and as long as it is working, there is no problem with
    the way you are doing it.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 2, 2008
    #17
  18. Yes, but if I check "DO not user recursion for this domain" on the
    forwarders of the internal DNS, not work the resolution of external domain.

    Best regards
     
    Elías Manchón, Apr 3, 2008
    #18
  19. Read inline please.

    In
    I asked you this question two posts back and you went off on a tangent.
    If this is the case, the Forwarder is your problem, make sure your forwarder
    is able to resolve the internet, and that you have the correct ports open to
    the forwarder.

    Use this command on your DCs:
    nslookup -d2 www.microsoft.com. forwarderIP

    Please post the entire results.

    Do not forget the trailing . after www.microsoft.com. it shortens the
    results by not appending your suffixes.




    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 3, 2008
    #19
  20. I think that the problem is the firewall ports. I have disabled the first
    firewall and I check "DO not user recursion for this domain" and it resolves
    the domain rightly. Do you know the ports that I have to open?.

    The courious is that if I enable the firewall and uncheck "DO not user
    recursion for this domain", it works. I suppose that it will use other TCP
    ports.

    Very Thanks Kevin.
     
    Elías Manchón, Apr 3, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.