none
DNS forwarders

    General discussion

  • Where would YOU send your forwarders and why? Assume the following setup:

    • external namespace:  company.com
    • internal namespace:  corp.company.com
    • your internal network is Active Directory-integrated.
    • you've got two name servers sitting on the exterior network that are the authoritative for company.com; they handle MX, A, and other Internet records.  They are Windows 2008 Servers running DNS only.  They are not joined to any domain.  They're on the DMZ, for illustrative purposes.
    • the internal DNS servers handle internal requests

    But, who would handle requests that go outside?  All my workstations point to my internal DC's for resolution, but who do the DC's use for resolution for external requests?  Do they point to my ISP?  Do I specify the ISP's DNS server as a forwarder, or do I enter that as statically configured DNS settings on the DC's NIC?

    Can I use the external name servers in my DMZ as a Forwarder, or alternatively as statically configured DNS settings on the DC?

    What if I didn't have external name servers?  I'd have to use the Registrar as the authoritative name holder.  Who then would I use as a forwarder or statically configured DNS setting?

    Lastly, what if I used the same internal and external name spaces, and used a split-brain DNS?  What would you do for external name resolution in that case?


    Thursday, July 07, 2011 5:52 PM

All replies

  • Hello,

    either you use the root hints or the forwarders are set to your ISP or another public DNS server so external domain names can be resolved.

    If you have a public domain name registered is not important for this.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 07, 2011 6:25 PM
  • Agree with Meinolf.  There is no right/wrong answer...  I personally prefer to use Root Hints as to not depend on the ISP's/Public DNS servers for information.  Not that I have encountered this, but if the forwarders you point to ever get comprimised, they would be sending your DNS server poisoned data.  The downside to using root hints is that name resoultion may take a bit longer as there will be referrals involved in the process.  If you forward to your ISP/Public DNS, you are taking advantage of their cache.

     

    Can I use the external name servers in my DMZ as a Forwarder, or alternatively as statically configured DNS settings on the DC?

    You would not want to use your External DNS servers to be used in internal name resolution.  As a matter of fact, you should disable recursion (Advanced Tab).  You only want the external DNS servers to resolve queries for zones they host.  If you do not disable recursion, any one on the internet can use your DNS servers to resolve any query.  You really dont want that config, unless you are an ISP servicing DNS for your customers.

     

    What if I didn't have external name servers? I'd have to use the Registrar as the authoritative name holder. Who then would I use as a forwarder or statically configured DNS setting? 

    If you decide to go with the forwarders configuration, it is customary to forward to your ISP or public DNS server (Google, Level 3 communications, OpenDNS, etc...)

     

    Lastly, what if I used the same internal and external name spaces, and used a split-brain DNS? What would you do for external name resolution in that case? 

    Ok, so if you host the same domain internally and externally, that's fine.  Your internal zone will host all of the internal and external records.  Your external zone will ONLY contain the external records.  People on the internet will hit your external DNS servers when they need to resolve your external records (MX, A records for your web, ftp, etc..)

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, July 07, 2011 6:53 PM
  • I forgot to mention something.  We'd often had the DC point to itself, and then the used the ISP's DNS as the forwarder.

    So, to summarize what you're telling me, I have the following options (assuming all internal machines point to the DC's):

    1. use the 13 root DNS servers (root hints)
    2. use a public DNS like the ones mentioned above
    3. use your ISP's DNS servers (the typical option)

    I need some clarification on the following statement:

    "...You would not want to use your External DNS servers to be used in internal name resolution. As a matter of fact, you should disable recursion (Advanced Tab). You only want the external DNS servers to resolve queries for zones they host. If you do not disable recursion, any one on the internet can use your DNS servers to resolve any query. You really dont want that config, unless you are an ISP servicing DNS for your customers...."

    The theoretical setup would have 2 DNS servers sitting on the DMZ.  Their only purpose is to serve as authorities for my company's Internet records.  They would not provide any resolution for internal clients.  They could however, in theory, serve as a external name resolvers for my DC's.  Is that a bad design method?  It seems like that is what you're saying, because without recursion disabled, anybody could use my external DNS servers as resolvers, which I guess would increase my attack surface and bandwidth usage...  Is there a way to allow those external DNS servers to act as the forwarders for my DC's without exposing them, while still serving as the Internet record authority for my domain?

    Thursday, July 07, 2011 8:03 PM
  • Correct on the 1,2, and 3 option.

    With regard to the clarificaiton...

    your statement.. "They could however, in theory, serve as a external name resolvers for my DC's." -  No, I do not recommend that.  If they are used as external name resolvers for your DCs, that would mean that you could not disable recursion.  If you do not disable recursion, that would mean that I can use your DNS servers to service me for all internet related queries. 

     

    your question..."Is there a way to allow those external DNS servers to act as the forwarders for my DC's without exposing them, while still serving as the Internet record authority for my domain?" - I can't think of any way possible to do that with just basic forwarding...However, we havent talked about conditional forwarding....

    Since your internal domain and external domain are different, what you would do is set up conditional forwarding on your internal DNS servers pointing the domain company.com to your external DNS servers.  All other domains will use root hints for name resolution.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, July 07, 2011 8:14 PM
  • DNS is the heart of AD & AD depends on DNS to advertise its services to the domain clients. For resolving external domain name it use root hints & forwarders(ISP DNS address). You would not like to setup your dns for external domain name resolution i.e public facing & the reason given by JM is valid hardware cost, maintenance, security cost etc, in general its mostly the ISP's DNS chosen because they already got setup & they are into this business.

    If you want to setup your DNS for external domain resolution, you have to allow it to talk to internet & there is going to be security issues.

    You might have heard of Split-Brains DNS.

    http://msdn.microsoft.com/en-us/library/ms954396.aspx

     

    Regards  


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, July 08, 2011 5:10 AM
    Moderator
  • FWIW, Microsoft "recommends" the use of forwarders via their DNS Best Practice Analyzer:



    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Tuesday, November 29, 2011 11:28 PM