Nameserver scenario with advertisers and resolvers

Discussion in 'DNS Server' started by ACE-Joe, Aug 22, 2005.

  1. ACE-Joe

    ACE-Joe Guest

    Hi all,

    If I am going to setup a DMZ with two main DNS servers in a
    Primary/Secondary configuration, but also use 2 advertisers and 2 resolvers
    on separate servers, how do I setup the NS records and basic DNS
    configuration? I.E. I have 6 test domains registered. I want to setup the
    nameservers to point to the DNS servers in my DMZ. But do I setup
    nameservers for each of the servers including the advertisers/resolvers? Any
    general configuration tips or suggestions here? I'm not very familiar with
    this type of configuration.

    Thanks
    Joe
     
    ACE-Joe, Aug 22, 2005
    #1
    1. Advertisements

  2. In
    Still at it? :)

    Keep in mind, the advertiser is the machine that will be hosting your public
    records for your clients and the Internet. The nameserver records on these
    machines are these machines' nameserver FQDN and IP addresses, since they
    are the machines regstered as the nameservers for your external domain name
    when you registered them or changed them to. That's important. Keep in mind
    as well, they do not have any references to the internal domain whatsoever.
    If you put the internal domain data on them, it will 'lame' them. Your
    internal DNS have nothing to do with these guys. The only thing on the
    internal DNS is to create shadow copies of resources (www, ftp, etc) to
    either the external IPs or the internal private IPs, depending on where the
    webserver or ftp server, etc, are being hosted.

    The resolver will be the ones that are being used as a forwardee from the
    internal DNS servers. The resolver, as far as the public is concerned, do
    not exist to them. The nameserver records on them do not matter.

    Both will be sitting on your DMZ. The internal DNS will have forwarding set
    to the 'resolver' which in turn will resolve external names by forwarding to
    some external server.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Aug 23, 2005
    #2
    1. Advertisements

  3. ACE-Joe

    ACE-Joe Guest

    Ha ha, yeah I'm still at it. I understand the concept of this, but some
    details of actually implimenting it are a little fuzzy. For example, my boss
    wants to setup a Primary/Secondary set of servers that are hidden so to
    speak, with a copy of the zones for our public domains, no nameservers
    pointing to them, just available should we need them. I don't think
    personally this is good because it would still take a day to make the dns
    changes to bring them online should the advertisers come under attack, but he
    wants to go that route. Then I guess based on what your telling that I need
    to register the nameservers with my registrar pointing to the two
    advertisers. That makes sense to me. I think I understand how to set this
    all up, I just don't see the benefit of setting up a two server set of
    primary/secondary dns just for potential failover. And if I do, should I
    make the advertisers secondary servers to the primary/secondary set? Am I
    making any sense?

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #3
  4. ACE-Joe

    ACE-Joe Guest

    Let me try to clarify what my questions are exactly:

    1. When registering nameservers, I give my IP for both advertisers to the
    registrar and register nameservers like ns1.domain.com and ns2.domain.com.
    But what if I have multiple domains? I have 6 domains total that I need to
    host zones for, for my company. So do I register nameservers with the same
    IP and format for each domain?

    2. What do I need to do on the DNS server once I register the nameservers?
    I know there is a nameservers tab on the zone properties. Do I need to make
    sure the nameservers appear as they are registered at the registrar, or do I
    want the machine name . domain.com? Also, do I need to create host records
    called ns1.domain.com and ns2.domain.com on each server registered as a
    nameserver?

    3. In my case where my boss wants a primary and secondary server that are
    hidden that contain all the zones for all the domains we are hosting, and
    then wants two advertisers and two resolvers, should I make the advertisers
    secondary DNS servers of the primary server that is supposed to be hidden
    (just not registered as nameservers or appear on any domain nameserver list).
    What would be your recommendation for that type of scenario?

    I have the primary and secondary server up and running with copies of the
    zones already. I have the two resolvers setup configured as resolvers with
    the recommended configuration for advertisers. I am just not sure how to
    populate the zones, if I should create them manually, which would be a pain
    if we ever did switch over to the primary/secondary for any reason, unless we
    update records on both sets of servers any time there was a change. Or do I
    make the advertisers secondary to the primary and let the zones transfer from
    the master? But if I did that, and someone would attack the advertisers,
    wouldn't that tell them about the primary/secondary and defeat the purpose of
    having them?

    I could make the basic split DNS work no problem, but when my boss wants to
    throw in these two extra servers to be hidden, it throws my thinking off a
    little. I know this is overkill for a company of our size, and I'm not even
    sure if he is going to do this in production or not, but I have to test it
    and prove the design.

    Thanks so much for your help, I love these newsgroups!

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #4
  5. I'm having difficulty understanding what you are trying to achieve by having
    DNS servers for the public zones if they are not going to be authoritative
    for public namespace.

    I could understand this if you were going use them on the public record as
    authoritative for the public namespace, or even as hidden masters, for you
    current public servers. A hidden master is when the DNS servers on the
    public record have only a secondary copy of the zone data, but the master is
    not on the public record as authoritative and is therefore never queried by
    public resolvers for the domain resolution.




    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 23, 2005
    #5
  6. ACE-Joe

    ACE-Joe Guest

    Thanks for the reply. I'm confused too thats why I'm on here asking :) I
    don't really understand the benefit of having this either. It doesn't make
    much sense to me and is definately overkill for a company our size, (about
    300). My boss doesn't want the primary/secondary servers to be seen by
    anyone, obviously they will have a public IP, but other than that, he doesn't
    want them listed anywhere for any domains or nameservers. I think his
    thinking is, if someone attacked our advertisers, we could make some DNS
    change and switch over to the hidden servers and maintain uptime, rather than
    be down due to attacks on the two advertisers. While this sounds nice, I
    don't see how it will help, especailly because it would take a while for DNS
    to propogate and by then we may the problem corrected anyway.

    I would be interested to hear more about hidden masters. I've never had
    to set that up before. Can you give me some of the configuration points that
    this would require. And how to set that up?

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #6
  7. I agree 100%, it is likely that if the public name servers were attacked,
    you could change the public record, but most assuredly by the time the TTL
    and the record propagated the public DNS would be back up.

    You would have to make one of your DNS servers the primary master, and
    someone would have to host secondary zones of your primary.
    I'll tell you how I do it, I have four DNS servers listed on the public
    record, two of mine and two that belong to my ISP. My DNS server has the
    master zone, and my ISP (SBC) hosts secondary zones, my ISP's DNS servers
    are on major internet backbones, so this give me the advantage of hosting my
    own DNS without giving up speed and bandwidth.
    I don't know who your ISP is, or if they will host a secondary zone for you,
    but they can't shoot you for asking, you would just ask them to host
    Secondary zones for you. If not, there are other DNS hosting companies that
    do this for no charge at all.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 23, 2005
    #7
  8. ACE-Joe

    ACE-Joe Guest

    Thanks for the feedback! I understand. I just have to figure out the best
    way to make this configuration work. I don't know if I should make the
    "hidden" set of servers, the primary set and make the advertisers secondary
    to the the hidden set of servers? Or should I just set them up exactly the
    same but only be using the advertisers on the internet for the public
    namespace. This to me seems silly, and time consuming. And again by the
    time we got the "hidden" servers up and going the problem would likely be
    over.

    I guess for now, I will just setup two sets of primary/secondary servers,
    one set can be the "hidden" set with no public references to them at all,
    just to satisfy my boss. The other set can be the advertisers.

    Is there an easy way to import a zone from another server, so I don't
    have to type all this in again?

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #8
  9. ACE-Joe

    ACE-Joe Guest

    One more question. Is there anything special I should do in order to
    configure my two resolvers? Should I have them forward requests to more
    public DNS servers, or just use root hints? Should I disable recursion?
    Etc. I have the advertisers setup now, and I want to get my resolvers
    configured for testing.

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #9
  10. ACE-Joe

    ACE-Joe Guest

    Sorry, but here is another question, if I have my resolvers setup correctly,
    which I do, I setup forwarders to the public DNS servers of our ISP, and left
    the root hints. Now when I setup my internal DNS servers to query my
    resolvers, what configuration should I use for internal DNS? Should I
    disable root hints? And exclusively use the forwarders?

    Thanks
    Joe
     
    ACE-Joe, Aug 23, 2005
    #10

  11. Not unless the current DNS servers will give you a zone transfer.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 23, 2005
    #11
  12. ACE-Joe

    ACE-Joe Guest

    Summary:

    Public DNS in the DMZ:

    1. I setup two DNS servers in a Primary/Secondary configuration, created
    zones for all my public domains, configured them as advertisers. These are
    the two "hidden" DNS servers. No public records reference them and no
    queries are made to them.

    2. I setup two more DNS servers in a Primary/Secondary configuration setup
    as advertisers with no recursion, no root hints, no forwarding. I created
    all my zones for all public domains. I setup the nameservers at the
    registrar to point to each one respectively ns1 and ns2 using their public
    IPs.

    3. I setup two more DNS servers as resolvers, basically caching only
    servers. No zones, forwarding enabled to the ISP, and kept root hints for
    failover.

    Internal DNS:

    1. I setup two DNS servers (NO AD YET) in a primary/secondary configuration.
    I created the zone for the internal domain. I enabled DDNS registration. I
    enabled forwarders to point to the two resolvers in the DMZ. I removed the
    root hints.

    2. I created stub zones for the various public domains hosted on the DMZ DNS
    servers. This allows me to resolve the public domains internally on private
    IPs for the internal LAN clinet workstations.

    This is how I ended up making this configuration work. The "hidden" setup
    is way overkill for us, and I'm not sure we will impliment it, but I had to
    do the work to prove it works. DNS is up and running, everything works,
    resolves correctly, and I'm very pleased with the results. My test lab will
    undergo more testing tomorrow, but its all working very well right now. I
    still have some Port forwarding issues to resolve in the firewall for the DMZ
    and incoming traffic from the internet, but other than that, its working
    great! I even setup IIS on the primary DMZ DNS server to test for website
    hosting in this configuration and it works great!

    Thanks for all your help/suggestions!

    Joe
     
    ACE-Joe, Aug 23, 2005
    #12
  13. In
    Or just switch IPs on the 'hidden' machine to the registered IP should the
    authorative go down. No TTLs to deal with. Rebuild the other one and switch
    it around.

    Ace
     
    Ace Fekay [MVP], Aug 23, 2005
    #13
  14. In
    Yes. Use the ones above as the authorative for those other domains.
    Create your zones? Not sure what you are asking.
    As they are at the registrar.
    Yep. Your servers are the authorative for the zone. Therefore you must have
    your own records created so others can resolce them, especially including
    the nameserver names.

    You said it. The ones holding the primary zones are the "masters". The ones
    holding the secondary zones are the registered "advertisers". You make
    changes on the primary and they transfer to the secondaries.
    You are protecting the fact they cannot change anything on a secondary. It's
    a read only copy.

    Too many resources required for this size of a company. Easier to host at an
    ISP. But the boss is the boss, and he's "politically" correct, even if he's
    wrong. You must think this way in almost any network infrastructure.

    HE KNOWS WHAT HE'S DOING, whether he does or not.

    These newsgroups are like a quantuum singularity. Perpetually
    self-sustaining and here to help all the time!

    Ace
     
    Ace Fekay [MVP], Aug 23, 2005
    #14
  15. In
    I would imagine forward them. But if you think about it, to prevent possible
    issues if the servers being forwarded to are not properly secured, you can
    just opt to use the Roots.
    If you mean under the Advanced tab or the resolvers, no, because that will
    stop it from responding as a forwarder from the internal network. But you
    can disable recursion on the advertisers so no one else uses them to forward
    to since they are only responding for zones it is authorative for.
    Cool. Let us know how you make out.

    Ace
     
    Ace Fekay [MVP], Aug 23, 2005
    #15
  16. In
    Actually for #1 and #2, one of the #1 servers will be the Primary. The
    others in #1 and #2 will hold secondary copies. This way any changes you
    make on the primary in #1 will zone transfer to the others.

    Disable recursion on these guys under the advanced tab.
    That's fine.
    No need to remove the Roots.

    That's fine. But if there is one particular zone the same name as your AD
    zone, that would be useless. You would need to manually create the records
    on the internal zone just for that one zone. if you are using the same AD
    name internally as externally for that specific zone.
    I hope your DMZ is routed using an actual public IP range. Port forwarding
    in NAT will only work with one port to one internal IP only.
    Cheers!
     
    Ace Fekay [MVP], Aug 23, 2005
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.