Announcement

Collapse
No announcement yet.

Resolving names in DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Resolving names in DMZ

    Let's say that I have a network like this:




    Let's also say that I own a domain named "domain.com". Now I have decided that I will name my private domain "corp.domain.com" and I also created primary forward lookup zone with the same name. My web server located in DMZ will not be part of that domain (or any domain for that matter) and it's name is "web1".

    I would like my private DNS to resolve "web1". For example, when users on private LAN type "www.domain.com" in their browser they should see the proper web page. So the idea is to make my internal DNS resolve names in DMZ without going out on the internet or use forwarding.

    How should I do this? What is the standard way (if there is any)?

    Should I create another primary lookup zone for my internal DNS named "domain.com" or have another DNS just for "domain.com" namespace?

  • #2
    Re: Resolving names in DMZ

    You will need a "domain.com" zone and static A records for "www" pointing at the web servers IP
    This can all be done on your existing DNS server
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Resolving names in DMZ

      If I understand you correctly, you wan't to use one DNS server to service Internet and Intranet clients. If that is the case, I do not recommend that design. Any zone hosted on the Internet DNS server will be exposed to the internet.

      A better approach is to have a dedicated intranet DNS server for your clients. The intranet server could be configured to do "Conditional Forwarding, not Forwarding" to the internet DNS server specially for the domain "domain.com". The reason being is that you probably should turn off Recursion on the internet DNS server so that internet clients are only able to get responses from that server, strictly for the zones that are hosted there.

      If you turn off recursion, then you will not be able to use Forwarding from the intranet DNS server. However, Conditional Fowarding will work by not having your intranet DNS server go all the way out to the internet to find your internet DNS server.
      ________
      volcano vaporizer
      Last edited by [JM]; 24th January 2011, 18:11.
      JM @ IT Training & Consulting
      http://www.itgeared.com

      Comment


      • #4
        Re: Resolving names in DMZ

        AFAIK all he wants to do is to resolve his IIS server (public web site) in the DMZ from inside his corporate network -- no mention of providing resolution to external clients
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Resolving names in DMZ

          Ossian is right. It's just a matter of letting internal users direct access to the corporate web without going out on the internet for name resolution.

          @[JM]...you definitely make a valid points. There is no problem for the external users.

          Comment


          • #6
            Re: Resolving names in DMZ

            Yes, after re-reading your post and others in this thread, I have a better idea of what you are trying to accomplish.

            All you would need to do is define a zone for that domain on your internal DNS server. This is called "split-DNS".

            For this design, you will need to maintain the same host records on two infrastructures. When you update a record on your external DNS server, you will need to update the internal one as well.
            ________
            marijuana hemp
            Last edited by [JM]; 24th January 2011, 18:12.
            JM @ IT Training & Consulting
            http://www.itgeared.com

            Comment

            Working...
            X