Internal/External DNS

[rileymartin]

Hi,

We're finally splitting off of our parent company and need to setup our
own internal and external DNS. From what I read in online documentatino we
should have internal DNS/AD servers for our internal network, pointing all
clients to our internal DNS servers only. We should then setup our main
internal DNS server with a forwarder address, pointing to our external DNS
server in our DMZ. The DNS server in the DMZ would then be the only DNS
server in direct communication with other public DNS servers. Is this what
everyone else is doing? What about the root hints on our internal DNS
servers? I'm not sure how they come into play. If we setup a forwarder
address pointing to our DNS server in our DMZ are they needed? Do we delete
the root hints? Any help would be appreciated. Thanks.

[Ace Fekay [MVP]]

In news:AD85598E-7C38-47F5-BDA0-2683CAD6B1B1@microsoft.com,
rileymartin <rileymartin@discussions.microsoft.com> typed:
> Hi,
>
> We're finally splitting off of our parent company and need to
> setup our own internal and external DNS. From what I read in online
> documentatino we should have internal DNS/AD servers for our internal
> network, pointing all clients to our internal DNS servers only. We
> should then setup our main internal DNS server with a forwarder
> address, pointing to our external DNS server in our DMZ. The DNS
> server in the DMZ would then be the only DNS server in direct
> communication with other public DNS servers. Is this what everyone
> else is doing? What about the root hints on our internal DNS
> servers? I'm not sure how they come into play. If we setup a
> forwarder address pointing to our DNS server in our DMZ are they
> needed? Do we delete the root hints? Any help would be appreciated.
> Thanks.

Is your external DNS hosting public records or are you using it as a private
'proxy' address for your internal DNS to forward to? That's actually a good
security best practice.

If it is hosting external public records, many companies have gotten away
from that and allow their registrar to host their public zones because it's
too much admin overhead and not really worth the aggravation.

As for Root hints, they are used to resolve external zones on the internet.
If you are using a forwarder, and the forwarder always answers, then it will
never get to use the Roots. I wouldn't delete them however under the
Forwarders tab, (only under the Forwarders Tab) you can check the box to
'disable recursion', which actually plainly means to disable the use of the
Roots.

Warning: Do not disable recursion under the Advanced Tab, which is totally
different then the tab I mentioned above. This setting will turn off all
recursion and no one will be able to resolve anything other than your
internal domain name.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

[rileymartin]

Thanks for the reply.

We will be using the DNS server in our DMZ for both hosting public records
as well as a proxy address for our internal clients to forward to. Our
clients will point to our internal DNS server which will forward to our
external DNS server.



"Ace Fekay [MVP]" wrote:

> In news:AD85598E-7C38-47F5-BDA0-2683CAD6B1B1@microsoft.com,
> rileymartin <rileymartin@discussions.microsoft.com> typed:
> > Hi,
> >
> > We're finally splitting off of our parent company and need to
> > setup our own internal and external DNS. From what I read in online
> > documentatino we should have internal DNS/AD servers for our internal
> > network, pointing all clients to our internal DNS servers only. We
> > should then setup our main internal DNS server with a forwarder
> > address, pointing to our external DNS server in our DMZ. The DNS
> > server in the DMZ would then be the only DNS server in direct
> > communication with other public DNS servers. Is this what everyone
> > else is doing? What about the root hints on our internal DNS
> > servers? I'm not sure how they come into play. If we setup a
> > forwarder address pointing to our DNS server in our DMZ are they
> > needed? Do we delete the root hints? Any help would be appreciated.
> > Thanks.
>
> Is your external DNS hosting public records or are you using it as a private
> 'proxy' address for your internal DNS to forward to? That's actually a good
> security best practice.
>
> If it is hosting external public records, many companies have gotten away
> from that and allow their registrar to host their public zones because it's
> too much admin overhead and not really worth the aggravation.
>
> As for Root hints, they are used to resolve external zones on the internet.
> If you are using a forwarder, and the forwarder always answers, then it will
> never get to use the Roots. I wouldn't delete them however under the
> Forwarders tab, (only under the Forwarders Tab) you can check the box to
> 'disable recursion', which actually plainly means to disable the use of the
> Roots.
>
> Warning: Do not disable recursion under the Advanced Tab, which is totally
> different then the tab I mentioned above. This setting will turn off all
> recursion and no one will be able to resolve anything other than your
> internal domain name.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
>
>

[Ace Fekay [MVP]]

In news:844601B5-B7CC-4053-97AA-814E079D64BC@microsoft.com,
rileymartin <rileymartin@discussions.microsoft.com> typed:
> Thanks for the reply.
>
> We will be using the DNS server in our DMZ for both hosting public
> records as well as a proxy address for our internal clients to
> forward to. Our clients will point to our internal DNS server which
> will forward to our external DNS server.

Sounds good. :-)

Ace

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:844601B5-B7CC-4053-97AA-814E079D64BC@microsoft.com,
rileymartin <rileymartin@discussions.microsoft.com> typed:
> Thanks for the reply.
>
> We will be using the DNS server in our DMZ for both hosting public
> records
> as well as a proxy address for our internal clients to forward to.
> Our clients will point to our internal DNS server which will forward
> to our external DNS server.

One point to look at here, if the DMZ servers are authoritative for your
public domain, it would be better to disable recursion on them, and NOT use
them as a forwarder.
By allowing recursion on them, it makes them easier to hijack the cache by
unscrupulous hackers. If recursion is disabled, they can only answer for the
zones they own, so in effect, the cache is disabled.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[rileymartin]

Thank you, please explain further. I thought recursion would be used on our
external DNS server to perform DNS lookups on behalf of our internal DNS
server, by contacting other DNS servers on the internet to resolve names to
resources on the Internet (recursive queries).

I think I may not correctly understand recursion or recursive queries. Are
they different?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:844601B5-B7CC-4053-97AA-814E079D64BC@microsoft.com,
> rileymartin <rileymartin@discussions.microsoft.com> typed:
> > Thanks for the reply.
> >
> > We will be using the DNS server in our DMZ for both hosting public
> > records
> > as well as a proxy address for our internal clients to forward to.
> > Our clients will point to our internal DNS server which will forward
> > to our external DNS server.
>
> One point to look at here, if the DMZ servers are authoritative for your
> public domain, it would be better to disable recursion on them, and NOT use
> them as a forwarder.
> By allowing recursion on them, it makes them easier to hijack the cache by
> unscrupulous hackers. If recursion is disabled, they can only answer for the
> zones they own, so in effect, the cache is disabled.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

[Ace Fekay [MVP]]

In news:42216554-B983-4551-88C7-42A71FCD150B@microsoft.com,
rileymartin <rileymartin@discussions.microsoft.com> typed:
> Thank you, please explain further. I thought recursion would be used
> on our external DNS server to perform DNS lookups on behalf of our
> internal DNS server, by contacting other DNS servers on the internet
> to resolve names to resources on the Internet (recursive queries).
>
> I think I may not correctly understand recursion or recursive
> queries. Are they different?

What Kevin is suggestion is a best practice security design receommendation.
In this design you are not to allow your internal DNS or any other external
DNS servers the ability to use them to perform recursion. They will only be
content serving DNS servers, meaning they will only respond to queries for
what they hold and will not resolve anything else. To configure that, you
check the box under the Advanced tab.

You would configure your internal DNS to forward to your ISP's, and let them
resolve everything, including your external zones.

But it's up to you how you configure your infrastructure.

Ace

[Milton F. Lopez]

(I posted this separately and later found this. Sorry for the duplication but
this looks like the only related thread).

We have two Windows 2003 (SP2) domain controllers on our private LAN, wihch
is NAT'ed behind a firewall. DNS on these servers is configured to forward to
a third DNS server on our DMZ, which resolves public names for our domain. We
use
this "split DNS" so that an Exchange server on the LAN has both a public and
a private IP address. The firewall takes care if the necessary SMTP
routing, and this works just fine.

Under this conditions I expect systems on the private LAN to get
the Exchange server's private IP address from the domain controllers when
they issue a DNS query. This is indeed what happens when I test them using
nslookup.

We recently placed a new Sophos ES1000 email appliance on the LAN as a
smarthost for Exchange. The appliance is set to use the two domain
controllers as primary and secondary DNS servers. When receiving messages
from Exchange, the appliance (which uses Postfix) looks up the IP address for
the server name in the HELO command, and checks to see if it matches the
connection. Most of the time it does, i.e. the appliance get the private IP
address for the Exchange server from DNS, and accepts the messages.

The problem is that once in a while the appliance seems to get the public IP
address of the Exchange server and refuses to relay as it should. This, of
course, creates problems with our email routing.

Sophos tells me the problem is with the DNS servers and therefore cannot
help us with this.

Could something be causing the Windows DNS service to forward the query for
the Exchange server's IP address, rather than getting it from its own zone
for some reason, and thereby returning the Exchange server's public IP
address? If so, how could I prevent this?

Thanks in advance.

[Ace Fekay [MVP]]

In news:13B11A0B-1992-4B60-A9D0-9743ABF71D5A@microsoft.com,
Milton F. Lopez <MiltonFLopez@discussions.microsoft.com> typed:
> (I posted this separately and later found this. Sorry for the
> duplication but this looks like the only related thread).
>
> We have two Windows 2003 (SP2) domain controllers on our private LAN,
> wihch is NAT'ed behind a firewall. DNS on these servers is configured
> to forward to a third DNS server on our DMZ, which resolves public
> names for our domain. We use
> this "split DNS" so that an Exchange server on the LAN has both a
> public and a private IP address. The firewall takes care if the
> necessary SMTP
> routing, and this works just fine.
>
> Under this conditions I expect systems on the private LAN to get
> the Exchange server's private IP address from the domain controllers
> when they issue a DNS query. This is indeed what happens when I test
> them using nslookup.
>
> We recently placed a new Sophos ES1000 email appliance on the LAN as a
> smarthost for Exchange. The appliance is set to use the two domain
> controllers as primary and secondary DNS servers. When receiving
> messages from Exchange, the appliance (which uses Postfix) looks up
> the IP address for the server name in the HELO command, and checks to
> see if it matches the connection. Most of the time it does, i.e. the
> appliance get the private IP address for the Exchange server from
> DNS, and accepts the messages.
>
> The problem is that once in a while the appliance seems to get the
> public IP address of the Exchange server and refuses to relay as it
> should. This, of course, creates problems with our email routing.
>
> Sophos tells me the problem is with the DNS servers and therefore
> cannot help us with this.
>
> Could something be causing the Windows DNS service to forward the
> query for the Exchange server's IP address, rather than getting it
> from its own zone for some reason, and thereby returning the Exchange
> server's public IP address? If so, how could I prevent this?
>
> Thanks in advance.

DNS will NOT forward queries for zones it hosts. DNS will answer for any
zones it hosts, and if there is no match for a host query under the zone, it
simply returns a NULL and will NOT forward on.

Is the external DNS server's IP listed under the Nameservers tab under the
zone's properties on the internal DNS servers?

How did you configure the Forwarder? Is it a Conditional Forwarder or to
'All Other Domains?'


Ace

[Milton F. Lopez]

Ace,
Thanks for the reply. I understand the internal servers should not respond
with the external address, but the Sophos people inisist they must be doing
this when the problem happens. It has only happened twice in about a month,
by the way. Before I can reply to them, I need to eliminate the possibility
of some kind of glitch or bug that might cause the query for a name in the
local zone to be forwarded under some conditions. The only option I see is to
get an expert opinon to the effect that no such thing exists - period.

To answer your questions, the external DNS server's IP is not listed under
the Nameservers tab under the zone's properties on the internal DNS servers -
only the internal servers themselves are shown there. The Forwarder is not it
a Conditional Forwarder. Only 'All other DNS domains' is visible under "DNS
domain".

Thanks again.


"Ace Fekay [MVP]" wrote:

>
> DNS will NOT forward queries for zones it hosts. DNS will answer for any
> zones it hosts, and if there is no match for a host query under the zone, it
> simply returns a NULL and will NOT forward on.
>
> Is the external DNS server's IP listed under the Nameservers tab under the
> zone's properties on the internal DNS servers?
>
> How did you configure the Forwarder? Is it a Conditional Forwarder or to
> 'All Other Domains?'

[Ace Fekay [MVP]]

In news:BF69264F-2858-4080-9AB3-D02018DD954A@microsoft.com,
Milton F. Lopez <MiltonFLopez@discussions.microsoft.com> typed:
> Ace,
> Thanks for the reply. I understand the internal servers should not
> respond with the external address, but the Sophos people inisist they
> must be doing this when the problem happens. It has only happened
> twice in about a month, by the way. Before I can reply to them, I
> need to eliminate the possibility of some kind of glitch or bug that
> might cause the query for a name in the local zone to be forwarded
> under some conditions. The only option I see is to get an expert
> opinon to the effect that no such thing exists - period.
>
> To answer your questions, the external DNS server's IP is not listed
> under the Nameservers tab under the zone's properties on the internal
> DNS servers - only the internal servers themselves are shown there.
> The Forwarder is not it a Conditional Forwarder. Only 'All other DNS
> domains' is visible under "DNS domain".
>
> Thanks again.

I assure you, no such thing exists with MS DNS, which any of the MVPs and
Microsoft engineers monitoring these threads familiar with MS DNS will tell
you that. However in BIND, you can tell it to look elsewhere first instead
of itself, if so desired, then look to it's own zones, but MS DNS looks
elsewhere first only.

Here's BIND's forwarding settings:
http://www.akadia.com/services/howto_forward_dns.html

Here's MS DNS:
http://207.46.196.114/WindowsServer/...434381033.mspx

Something else is going on. I assume there is absolutely no relationship
between the internal DNS and the external DNS, eg, stubs, secondaries, etc,
between th einternal to external and vice versa? Nothing in the Root hints
in the DMZ server?? I'm just asking these questions to uncover any possible
unturned stone.

Try testing it with using telnet to the Postfix box by using IP and name and
see what type of results are obtained.

If you desire additional expert opinion, you can log a call with MS PSS.
Please check http://support.microsoft.com for regional support phone
numbers. I believe it's approx $250.00 USD for the call.

On a personal note, I've seen issues with Postfix, well let me re-phrase
that, I've seen issues that we could not resolve and the only thing
different is Postfix was involved. Please keep in mind, I am not knocking
Postfix. I am just relating an experience. One of our clients (whom I'll
refer to as "us," "we" or "ours"), that does not use Postfix, is having
intermittent issues with a company that does use Postfix. We have a policy
in place that all email between this company and the other company using
Postfix must be encrypted using TLS. Every once in awhile, a TLS command is
sent, (how TLS normally works) to the other company using Postfix.
Intermittenly Postfix on their end drops it for no apparent reason. The
error stated by Postfix in the session response according to our logs, says
Postfix could not verify our certificate (it's a Verisign cert). Therefore
it drops the connection. Unfortunately the issue is NOT occuring with 12
other companies that we have the same exact policy with. We've never seen it
before. The only thing different with the 12 other companies is none of them
are using Postfix. So we really didn't have a point of reference or history
to help us resolve it other than what we saw in our logs. Of course that
company logged a call with Postfix, as well as we logged a call with our
vendor for our product. Guess what Postfix told the other company? They said
it was not their fault and something on our end. It never got resolved. The
problem still occurs intermittently and only with them. Quite unfortunate.
I'm not knocking it, just relating an experience.

I'm also not saying it is related to your issue. I am curious as to the root
of the problem. Maybe try a different forwarder than your own DMZ DNS? Try
4.2.2.2 for a spell and see if the same issue occurs.

Ace

[ahmed sayed]

I am eng. Ahmed Sayed from egypt
I have a problem as follows
I want to implement a solution for exchange server 2010 at 2 servers one for mailbox, CAS and Hub and the second for the edge server

I have internal dns domain name with abc.local and external dns domain name with abc.com
and i want mailbox users to send and recieve mails using thir external domain name externally and no one can know the internal dns domain name of the company

i don't know how to configure this solution and how to make one profile for each user to recieve mails on this profile either from internal users or from external users

Please reply me as soon as possible

Thanks in advance