DNS on the Firewall - What settings?

I am trying to get a better grasp of DNS lately. Currently, one
of the places I do consulting at has the following configuration.....

1 Windows 2000 Global Catalog Server. This acts as the DNS and DHCP
server. Forward lookup Zones configured.
1 Sonicwall 2040 Firewall.
50 or so Windows 2000 and Windows XP Workstations.
4 Windows 2003 Server machines

Now, when I started to work here, all of the Servers had Static IP's
(Of course) with pointers to two external DNS Servers as well as the
Internal DNS Server. The GCS's DHCP was also set up to have the
workstations be assigned the three different DNS Servers (The Internal
and two external). I took the Externals off of all of the Servers and
gave a few workstations static IP's with only the GCS listed under DNS
Servers. They seem to be fine. You do want to avoid listing external
DNS sources, correct?

How should the DNS be set up on the Firewall? The current
configuration is this....

DNS Server 1 - External DNS Server
DNS Server 2 - External DNS Server

I am running a monitoring type thing on the firewall too that uses DNS
to tell me who is going where on the internet, or what on the
interenet is trying to violate who internally.

DNS Server 1 - External DNS Server
DNS Server 2 - 255.255.255.255
DNS Server 3 - Internal DNS Server

The Firewall does not assign any DHCP addresses or anything. It acts
as an Internet Gateway, VPN Solution, action logging, and Content
Filtering device. What does it need for DNS Servers? What does the
255.255.255.255 do for it? How could I chance the set up here to be
better?

Andy

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> How should the DNS be set up on the Firewall? The current
> configuration is this....

It is extremely simple.

*All* machines on the LAN (*all*) point to the internal AD/ DNS Server for DNS
and nothing else.

The AD/DNS Servers use the ISP's DNS IP# in the Forwarders List within the
config of the DNS Services.

The Firewall must allow (at a minimum) the AD/DNS machines to make outbound DNS
queries to the ISP's DNS.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

On Mar 20, 8:56 am, "Phillip Windell" <@.> wrote:
> <andy.lisow...@gmail.com> wrote in message
>
> news:(E-Mail Removed) ups.com...
>
> > How should the DNS be set up on the Firewall? The current
> > configuration is this....
>
> It is extremely simple.
>
> *All* machines on the LAN (*all*) point to the internal AD/ DNS Server for DNS
> and nothing else.
>
> The AD/DNS Servers use the ISP's DNS IP# in the Forwarders List within the
> config of the DNS Services.
>
> The Firewall must allow (at a minimum) the AD/DNS machines to make outbound DNS
> queries to the ISP's DNS.
>
> --
> Phillip Windell [MCP, MVP, CCNA]www.wandtv.com
>
> The views expressed (as annoying as they are, and as stupid as they sound), are
> my own and not those of my employer, or Microsoft, or anyone else associated
> with me, including my cats.
> -----------------------------------------------------

Thanks. I have some reservations about pulling the plug on the DHCP
assigned external DNS servers as I walked into this environment and
the guy who knows a little about the stuff claims that they did that
for a reason. I cannot imagine what the reason is. I've assigned a
few machines to static IP setups with only the internal server as a
DNS server and all seems ok.

Does the Firewall need any external DNS?

Carnage

"Andy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Thanks. I have some reservations about pulling the plug on the DHCP
> assigned external DNS servers as I walked into this environment and
> the guy who knows a little about the stuff claims that they did that
> for a reason. I cannot imagine what the reason is. I've assigned a
> few machines to static IP setups with only the internal server as a
> DNS server and all seems ok.

Yea, testing with a few static machines is good. But I'm sure you'll be fine.

> Does the Firewall need any external DNS?

Depends on the type of firewall. A hardware box probably doesn't even need to
resolve names at all,..you can't exactly sit at it like a workstation and
"browse the net" with it. Firewall products like ISA Server and other PC based
firewall products could have a good reason for having DNS. ISA certainly needs
it because it provides the best security when being a Domain Member, so it needs
DNS,..and it needs the Internal DNS. So, the firewall would use the internal
DNS just like any other machine on the LAN. It is only the DC/DNS that ever
makes DNS queries to the outside and it is done via the Forwarders List entries
or by using Root Hints.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------