Announcement

Collapse
No announcement yet.

Active directory integrated DNS for public DNS server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active directory integrated DNS for public DNS server

    Hi All,

    Here is my scenario. I have 3 Windows 2003 DNS servers sitting in DMZ behind firewalls in 3 different locations and are all accessible to the public for dns resolutions of our many domain names. I have now decided to upgrade all three to windows 2008 active directory integrated DNS for easier replication, security and other advantages of AD DNS.

    So I'm doing this on a test environment first and have built a w2k8 domain controller with a .local domain and created all the zones for our public domain names. DNS query is working nicely but when I do an nslookup for a domain name hosted on this server (ex. justtesting.com), I get both the .com dns server name and the .local dns server name for the nameservers of this domain.

    I want only the .com address of the dns server to show when I do an nslookup and not the .local name as well (active directory domain). Any ideas how to do this or is it not possible? Is it actually adviseable to use active directory DNS for a publicly hosted DNS? (the servers are not part of my internal domain).

  • #2
    Re: Active directory integrated DNS for public DNS server

    78 hits and no response?...wow, what happened to petri site

    Comment


    • #3
      Re: Active directory integrated DNS for public DNS server

      Originally posted by obs400 View Post
      78 hits and no response?...wow, what happened to petri site
      Maybe a bit confused about your unusual setup? 3 DNS servers on the DMZ (are you a hosting company)? Why would you have that setup and what sort of queries are they authorative for? Also, additionally it is not a good idea making the zone AD integrated as it'll expose internal info!
      Last edited by L4ndy; 8th February 2010, 15:58.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Active directory integrated DNS for public DNS server

        Thanks for your reply....appreciated. No, we are not a hosting company but we do have about 30 sites of our own that we host. The 3 DNS servers are just for redudancy and load sharing and are located in different locations. I think you have a good point about AD integrating them not a good idea based on what I have seen so far in my test environment. I was planning the AD method for added security of the records, efficiency, and faster replication but I can't seem to solve the problem of not letting DMZ address records for the servers not show during a dns test.

        If no way to solve the problem then I will abandon the idea.

        Comment


        • #5
          Re: Active directory integrated DNS for public DNS server

          I think you should abondon the idea as placing your AD servers in a DMZ where the public can access them is a massive no no in my book.

          If you really need to have the DNS servers then have a seperate server for them in the DMZ and allow only the necessary port 53 (i think) through your firewall.

          Comment


          • #6
            Re: Active directory integrated DNS for public DNS server

            Personally I wouldn't even have these DNS servers as domain members. I'd leave them standalone and the only contact with the internal network would be using these servers as conditional forwarders for the domains they are authoritative for on the internal DNS servers.

            I've seen a few cases recently where nslookup has returned odd results on 2008 servers leading me to doubt it's reliability. I suspect the problem is that 2008 defaults to IPv6 unless told otherwise, even if only IPv4 addresses are configured. Whether or not this is relevant to your problem I'm not sure - I don't have any servers hosting public DNS zones that I can test on.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment

            Working...
            X