none
Public DNS of Windows Server 2003

    Question

  • Hi,

    I have problems with Publicise my DNS Server. I've installed the DNS Server

    My hostname of DNS Server is DMZDNS.example.info and its IP address 192.168.0.2 and My register domain let's say example.info

     

    In my home network. I've a ADSL modem and Home router and my DNS to be publicised in DMZ Zone which is 192.168.0.0/24

    My Internal network is 172.16.0.0/24. Let's say my public IP address is 1.2.2.1

     

    Reason to have a public DNS: to resolve my website www.example.info

     

    Success in my installation and configuration:

    - I've successfully publicise my DNS with open port 53 in my router.

    - DNS can query using NSLOOKUP in the Internet

     

    My Problem:

    My internal IP address (192.168.0.2) is exposed in the internet when I try to query

     

    For example:

    >set q=A

    >example.info

    Server:ns1.example.info

    Address: 1.2.2.1

     

    Non-Authoritavie Answer:

    Name:    example.info

    Addresses: 1.2.2.1

                    192.168.0.2

     

     

    Please help me.

    Saturday, May 07, 2011 6:36 AM

All replies

  • Hello,

    create an A record named "www" without the quotes and point it to the webserver ip address.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, May 08, 2011 7:58 PM
  • Does your ISP allow you to host services on your ADSL line? Typically, from experience I haven't seen many ISPs allow this unless it's a business class line.

    If it is business class, have you published your DNS server as a "hostname server' with your Registrar (such as GoDaddy, Network SOlutions, etc)?

    Also, if you want to host your public domain name on your own DNS server, the registrar requires a minimum of two hostname servers, as well as that you have to run two separate DNS servers, one that host the public IP address for the public to use, and one for your internal use that has records with the internal privaate IP. This is because with WIndows DNS, you can't mix internal and public IPs for a record, such as a www.yourdomain.com record. Internally for you to get to it, it must be the private IP, but externally it must point to your WAN IP.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, May 09, 2011 2:28 PM
  • I already own public domain registered in such as Goddaddy. the DNS server that I hosted can be seen in public. However the problem I encountered is that the Internal IP Address of DNS (supposed to be DMZ zone IP address) is exposed. I already deleted the host record but still appeared and automatically recorded the IP address once the DNS Server restarted.

     

    by the way, the DNS Server is behind the NAT router.

    Tuesday, May 10, 2011 12:27 AM
  • I see. I assume you mean the NS record, or the A record, or both? Is the DNS server a DC?

    Either way, the DNS server is self registering into the zone. If the DNS server is multihomed (more than one NIC), you can possibly sotp it by going into the zone's properties, Interface tab, and tell it to only listen on the external interface. However, that will stop it from internal requests. if the DNS server is single homed, there's not much you can do about it and for it to still respond to queries other than disabling DNS Dynamic registration completely and manually creating the necessary records.

    However, if this server is a DC, then simply disabling registration will not work and will required altering the Netlogon registry settings. It gets complicated from here.

    To fully understand what's going on, whether a DC or not, please read the following article. If it is not a DC, you can skip the Netlogon part, but the behavior applies to both scenarios.

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, and/or PPPoE adapters - A multihomed DC is NOT a recommended configuration, however there are ways to configure such a DC to work properly. (At this time, Microsoft does not recommend or support machines with teamed NICs, DC or not.)
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    Also, I assume you are hosting your website internally? If so, when you are trying to resolve the same record internally and you are hosting the web site internally, then for internal resolution, you need to create the record with the internal private IP. However for external resolution, you will need your WAN IP. Windows DNS is not designed to host both records and respond correclty depending on the querying source and would need separate DNS servers for the two records. Just thought I would mention that. 

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, May 10, 2011 1:19 AM
  • The DNS Server that I hosted to be a public DNS Server is a stand alone server and not a member of a DC and it's placed on the DMZ site.

     

    I am not using 2 NICs card because I am prefering to use NAT on the router itself to allow port 53 and point to my Public DNS Server.

    In the DNS Server, there are no records for the private or internal IP address. The private network has its own private DNS in the internal network.

     

    What I am worrying is that the Public DNS Server's IP address of network Interface (which is Server's IP ie. 192.168.0.2) is exposed.

    What I have do is to delete the record and create new record and nameserver of public IP address.

     

    However, the drawback is there IF I am restarting the Public DNS Server, the Interface IP 192.168.0.2 is creating its own automatically. then I have to delete the record of the network interface.

    Tuesday, May 10, 2011 8:47 AM
  • Either way, the DNS server is self registering into the zone.
    If the DNS server is multihomed (more than one NIC), you can
    possibly sotp it by going into the zone's properties, Interface tab,
    and tell it to only listen on the external interface.

    Ace, if I'm not wrong (and judging from the OP reply it seems to
    be the case) the box is sitting behind a NAT and has no public
    IP allocated on its NIC it's just published through a NAT "port
    forwarding" rule, that's why it keeps showing the private IP; now,
    given the setup I wonder if there may a solution to the reported
    "issue" (let's call it so) other than publishing the DNS using
    routing in place of NAT and putting its public IP on the DNS
    server network interface; now, given that the OP wrote that the
    server is sitting inside a DMZ (or maybe a screened network)
    it shouldn't be so difficult to modify the setup

    In case it's a real DMZ, we'd have something like

    internet
    |
    ext firewall (and router)
    |
    +--- DMZ hosts
    |
    int firewall (and usually NAT)
    |
    LAN

    so, changing the config on the ext firewall and using public
    IPs in the DMZ would solve the issue; the same goes in case
    we have a screened network (aka a three-legged firewall)
    in such a case we'd have

    internet
    |
    wan NIC
    firewall (nat+router) -- DMZ nic -- DMZ hosts
    lan NIC
    |
    LAN

    and we'll just need to change the setup to have the three
    legged box perform routing between the wan NIC and
    the DMZ NIC (while doing NAT between the LAN and
    the WAN) and, again, using public IPs inside the DMZ

    Tuesday, May 10, 2011 10:58 AM
  • The DNS Server that I hosted to be a public DNS Server is a stand alone server and not a member of a DC and it's placed on the DMZ site.

    I am not using 2 NICs card because I am prefering to use NAT on the router itself to allow port 53 and point to my Public DNS Server.

    In the DNS Server, there are no records for the private or internal IP address. The private network has its own private DNS in the internal network.

    What I am worrying is that the Public DNS Server's IP address of network Interface (which is Server's IP ie. 192.168.0.2) is exposed.

    What I have do is to delete the record and create new record and nameserver of public IP address.

    However, the drawback is there IF I am restarting the Public DNS Server, the Interface IP 192.168.0.2 is creating its own automatically. then I have to delete the record of the network interface.

    Thank you for the detailed explanation. Now I understand the total configuration.

    As I mentioned earlier, the Dynamic DNS Registration feature is registering the private IPs for the A record and for the NS records. That is why you are seeing them re-appear after you delete them. The mere fact this is a DNS server is causing it to do that and will register even if you uncheck "register this connection ..." setting in the NIC properties, IPv4, Advanced, DNS tab.

    To fix it, as I also mentioned, you must disable DNS registration globally in the registry, then manually create ("publish") the NS, SOA and A records you need.

     

    To control Dns Registration for say, an internal DNS server that is being used to host public records and not desiring to publish private IPs for the A record, SOA record and

    NS records:

    1. Disable  DNS Registration on all interfaces:

    (Procedure good for Windows 2003, 2008 & 2008 R2):

    Click Start, click Run, type regedit, and then click OK.
    Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters

    On the Edit menu, point to New, and then click DWORD Value.
    Type DisableDynamicUpdate, and then press ENTER two times.
    In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
    (Note By default, the DNS update is enabled (0).
    Exit Registry Editor.


    2. Use the following registry subkey to "publish" the public IP address:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\PublishAddresses

    Data type: REG_SZ
    Range: IP address [Type in the public IP address]
    (Note: default value is blank)

     

    Double check the NS, SOA and the A records after completed.

     

    Ace

     

    PS - Late Edit: Please make sure TCP 53 and UDP 53 are both opened and translated. UDP 53 allows the use of EDNS0.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Tuesday, May 10, 2011 1:42 PM
  • Either way, the DNS server is self registering into the zone.
    If the DNS server is multihomed (more than one NIC), you can
    possibly sotp it by going into the zone's properties, Interface tab,
    and tell it to only listen on the external interface.

    Ace, if I'm not wrong (and judging from the OP reply it seems to
    be the case) the box is sitting behind a NAT and has no public
    IP allocated on its NIC it's just published through a NAT "port
    forwarding" rule, that's why it keeps showing the private IP; now,
    given the setup I wonder if there may a solution to the reported
    "issue" (let's call it so) other than publishing the DNS using
    routing in place of NAT and putting its public IP on the DNS
    server network interface; now, given that the OP wrote that the
    server is sitting inside a DMZ (or maybe a screened network)
    it shouldn't be so difficult to modify the setup

    In case it's a real DMZ, we'd have something like

    internet
    |
    ext firewall (and router)
    |
    +--- DMZ hosts
    |
    int firewall (and usually NAT)
    |
    LAN

    so, changing the config on the ext firewall and using public
    IPs in the DMZ would solve the issue; the same goes in case
    we have a screened network (aka a three-legged firewall)
    in such a case we'd have

    internet
    |
    wan NIC
    firewall (nat+router) -- DMZ nic -- DMZ hosts
    lan NIC
    |
    LAN

    and we'll just need to change the setup to have the three
    legged box perform routing between the wan NIC and
    the DMZ NIC (while doing NAT between the LAN and
    the WAN) and, again, using public IPs inside the DMZ

     

    Obi,

    I had to understand what the poster has before recommending anything. It appears he has a simple, single NIC DNS server port translating TCP 53 to the box. I forgot to mention to him he should also allow UDP 53 (for EDNS0). I used to use Windows DNS hosting about 50 zones years ago before I finally got tired of running the two servers (what the registrar requires) and handling the zones, attackers scanning ports, etc, and finally moved them to my registrar, Network Solutions.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, May 10, 2011 1:46 PM
  • I had to understand what the poster has before recommending anything.
    It appears he has a simple, single NIC DNS server port translating TCP
    53 to the box. I forgot to mention to him he should also allow UDP 53
    (for EDNS0).

    Well... I was exactly referring to his message stating he's using a
    single
    NIC box sitting behind a NAT; as for the ports, yes, DNS needs both
    53/udp and 53/tcp and btw the same goes for outbound queries too
    not just when it comes to publish a DNS - ok, in the second case you'll
    have to allow them outbound at the firewall :)

    I used to use Windows DNS hosting about 50 zones years ago before
    I finally got tired of running the two servers (what the registrar

    requires)

    and handling the zones, attackers scanning ports, etc, and finally
    moved them to my registrar, Network Solutions.

    Oh well... I'm still running my DNS servers and keeping up a bunch
    of zones; anyhow, if you want to keep full control over your DNS and
    avoid publishing your own servers to the world (or even just have
    a single server) you may still use the "hidden DNS" approach; that
    is, setup whatever external, published DNS servers to act as "auth"
    for your zones (place them in the dns zone and in the whois data)
    but setup your own DNS as the primary (the others will just be
    secondaries) and only open up the firewall to allow transfers from
    the secondaries so "the world" will never be able to contact it;
    this solves the issues you reported...although, sincerely, I still
    prefer the classic approach :)

    Tuesday, May 10, 2011 2:46 PM
  • True, the ports have to be allowed inbound/outbound. However, I would imagine outbound would be handled by default, including if EDNS0 is allowed or supported (inbound/outbound)

    As for the DNS zones, I moved them to reduce energy consumption at my home office. The bill was just getting too high running numerous servers, including the cost of the T1 line I had (this was in the 2001 - 2004 timeframe). I think I was able to reduce my monthly nut by close to $1000/mo by getting rid of the T1, moving my zones to my registrar, shutting down 4 servers, selling 3 of the servers, shutting down and selling peripherals (KVM, tape backup, etc), and getting a cable line for internet access for my home office. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, May 10, 2011 3:14 PM
  • True, the ports have to be allowed inbound/outbound. However,
    I would imagine outbound would be handled by default, including
    if EDNS0 is allowed or supported (inbound/outbound)

    Well, sure... I just added that to ensure our OP would set things
    up as needed, nothing more (ok, maybe I'm too pedantic at times :D)

    As for the DNS zones, I moved them to reduce energy consumption
    at my home office. The bill was just getting too high running numerous

    Well... when I wrote "my DNS servers" I didn't refer to some pieces
    of iron I've here but at some VMs hosted elsewhere on which the
    DNS servers are running :D - but yes, running critters "in house"
    is a cost which may reduced a lot, especially nowadays with all
    the virtualhosts and clouds offers around :D

    Tuesday, May 10, 2011 3:45 PM
  • Referring Ace Advice on modifying the registry is not working at all. Whenever I restart the DNS server, the private IP address still registering at the DNS.

     

    any suggestion...?

     

     

    Friday, May 13, 2011 8:18 AM
  • Referring Ace Advice on modifying the registry is not working at all. Whenever I restart the DNS server, the private IP address still registering at the DNS.

     

    any suggestion...?

     

     


    Didn't work? What operating system is it, and what service pack is installed? If Windows 2008 SP2, Try this registry setting:

    Tcpip\Parameters
    The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

    RegistrationEnabled    (This DWORD registry entry is a global setting that affects all interfaces on a machine.)
    Value = 0   (Disabled = 0, Enabled =1)

    For more information on the registry settings outlined above, and other settings, please see this article:
    Windows 2003 & 2008 DNS Registry Settings:
    http://technet.microsoft.com/en-us/library/dd197418(WS.10).aspx
    If you continue to have a problem, please see this article:
    All IP addresses are registered on the DNS servers when the IP addresses are assigned to one network adapter on a computer that is running Windows Server 2008 SP2 or Windows Vista SP2
    http://support.microsoft.com/kb/975808/EN-US

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, May 13, 2011 2:14 PM
  • It's windows Server 2003 SP2
    Friday, May 13, 2011 9:45 PM