DNS in two domains (one on a DMZ)

I am wondering about the correct DNS settings for a network with two
domains.
I have an internal domain (DC 172.16.0.1) and a DMZ domain (DC 192.168.0.1).

1. I am going to use ISA server to publish a web server from the DMZ out to
the internet. It will access SQL server data on the internal network, which
it will access through a publishing rule on the internal ISA server.

2. I would like my internal clients to access the same web server on the
DMZ.

I have read articles on DNS and DMZs, but am still a little unsure about the
exact setup that I need.

I started going down the route of assuming I needed to put a forwarder onto
my internal DNS server. This should point to a caching server on the DMZ.
the caching server should have a forwarder to the internet. I have tried
this, but cannot load the stub zone from the master. (I added two server
publishing rules for DNS onto the internal server.)

Perhaps I have got the wrong end of the stick. Can anyone point me int the
right direction?

Rich

"Rich" <RWad@RWcom> wrote in message
news:(E-Mail Removed)...
> I am wondering about the correct DNS settings for a network with two
> domains.
> I have an internal domain (DC 172.16.0.1) and a DMZ domain (DC
192.168.0.1).
>
> 1. I am going to use ISA server to publish a web server from the DMZ out
to
> the internet. It will access SQL server data on the internal network,
which
> it will access through a publishing rule on the internal ISA server.

That depends on *which* ISA on what *kind* of DMZ.

Here are that variations, and each is handled differently
1. Back-to-Back with 2 ISA's (one on each end)
2. Back-to-Back with 2 firewalls (one on each end, no ISA)
3. Back-to-Back with 1 ISA, 1 firewall (firewall on Internet end)
4. Back-to-Back with 1 ISA, 1 firewall (ISA on Internet end)
5. Tri-Homed DMZ using a firewall (no ISA)
6. Tri-Homed DMZ using a ISA (no hardware firewall)

Then just for fun you can have a Back-toBack and a Tri-Homed at the same
time using any combination of the above which brings you up to about 14
different types of DMZs

> I started going down the route of assuming I needed to put a forwarder
onto
> my internal DNS server. This should point to a caching server on the DMZ.
> ................
> this, but cannot load the stub zone from the master. (I added two server
> publishing rules for DNS onto the internal server.)

You don't "publish" any DNS.
All clients point to the Internal DNS, it is turn uses a Forwarder to the
DNS on the DMZ, which in turn uses a Forwarder to the ISP's DNS.

That is the best I can tell you with something like this. If I was in that
position I would go way, way, out of my way to create a simpler situation.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

<snippage>
> You don't "publish" any DNS.
> All clients point to the Internal DNS, it is turn uses a Forwarder to the
> DNS on the DMZ, which in turn uses a Forwarder to the ISP's DNS.
>
> That is the best I can tell you with something like this. If I was in
that
> position I would go way, way, out of my way to create a simpler situation.

FULLY agreed !!!

Also, consider setting up TWO DNS servers on the DMZ, one will
host the AD data and won't be published but only used as above
while the second one will only contain the public zone data and
will be published; also be sure to setup the packet filtering to allow
incoming queries on 53 UDP _and_ TCP; I've seen published DNS
without the TCP rule too often and such a thing may cause a whole
lot of strange problems

Regards

Hey Guy! It's been a while!

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"ObiWan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
>
> <snippage>
> > You don't "publish" any DNS.
> > All clients point to the Internal DNS, it is turn uses a Forwarder to
the
> > DNS on the DMZ, which in turn uses a Forwarder to the ISP's DNS.
> >
> > That is the best I can tell you with something like this. If I was in
> that
> > position I would go way, way, out of my way to create a simpler
situation.
>
> FULLY agreed !!!
>
> Also, consider setting up TWO DNS servers on the DMZ, one will
> host the AD data and won't be published but only used as above
> while the second one will only contain the public zone data and
> will be published; also be sure to setup the packet filtering to allow
> incoming queries on 53 UDP _and_ TCP; I've seen published DNS
> without the TCP rule too often and such a thing may cause a whole
> lot of strange problems
>
> Regards
>
>
>

ObiWan and Philip
Thanks for your responses.
The structure I have is a simple Back to Back with an ISA server on each
end.
My understanding was that a split DNS structure was the most secure in this
situation.
In order to create this I would need to create a stub zone on the DNS Server
in the DMZ. As a result of this, I would need to create a server publishing
rule in order to allow for the DNS query and DNS zone transfers to occur
between the two different subnets.

At first in the lab scenario i just wanted to get this going. after that I
intended to put two DNS servers into the DMZ (one as an advertiser and one
as a resolver (cache only forwarder to the internet)) which I believe is the
structure that ObiWan is talking about. I have already created the packet
filtering that he mentions.

I'll go back and have a look at this. I think theoretically this should
work.
Unfortunately I do not have any precise questions at the moment.


Rich


"ObiWan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
>
> <snippage>
> > You don't "publish" any DNS.
> > All clients point to the Internal DNS, it is turn uses a Forwarder to
the
> > DNS on the DMZ, which in turn uses a Forwarder to the ISP's DNS.
> >
> > That is the best I can tell you with something like this. If I was in
> that
> > position I would go way, way, out of my way to create a simpler
situation.
>
> FULLY agreed !!!
>
> Also, consider setting up TWO DNS servers on the DMZ, one will
> host the AD data and won't be published but only used as above
> while the second one will only contain the public zone data and
> will be published; also be sure to setup the packet filtering to allow
> incoming queries on 53 UDP _and_ TCP; I've seen published DNS
> without the TCP rule too often and such a thing may cause a whole
> lot of strange problems
>
> Regards
>
>
>

> Hey Guy! It's been a while!

Yeah Phil :-) and I've good news;
I received the MVP award for
windows server - networking :-) !!

Didn't update my sig yet though <g>

> ObiWan and Philip
> Thanks for your responses.

You're Welcome !

> At first in the lab scenario i just wanted to get this going. after
> that I intended to put two DNS servers into the DMZ (one as an
> advertiser and one as a resolver (cache only forwarder to the
> internet)) which I believe is the structure that ObiWan is talking
> about. I have already created the packet filtering that he mentions.

Yes, that's what I was talking about, you got it right ;-)

> I'll go back and have a look at this. I think theoretically this
> should work. Unfortunately I do not have any precise
> questions at the moment.

Oh well ... feel free to come back and ask if/when you'll need
more help, I'm usually "lurking" on win2000.dns but from time
to time I read posts here too .. and btw there's Phil and all the
other good fellows, so ...ask whenever you need ;-)

* ObiWan

MVP 10484: Windows Server - Networking

Excellent! Try to make it to the next MVP Summit. It was in April this last
time, it's probably about the same time every year. MS typically pays for
all expenses after you get there. Hopefully we'll see each other there. My
MVP is still in the ISA/Proxy which seem to be loosely associated with the
Security group, but lately I spend most of my time in the more general
"networking" groups and I try to focus mostly on VPN/Routing/Topology
issues.

Currently I'm listed on MS's site with a picture at:

Meet the Experts
http://www.microsoft.com/technet/sec...p/default.mspx

So the picture may help you "spot" me. I'm sure I'll still look about as bad
next year :-)

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"ObiWan" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> > Hey Guy! It's been a while!
>
> Yeah Phil :-) and I've good news;
> I received the MVP award for
> windows server - networking :-) !!
>
> Didn't update my sig yet though <g>
>
>
>

"Rich" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The structure I have is a simple Back to Back with an ISA server on each
> end.

Ok.

> My understanding was that a split DNS structure was the most secure in
this
> situation.

Split DNS is used mainly when you have used the same FQDN on the private
network as you have on the Public Network. So just having more than one DNS
Server doesn't always mean it is the "split" type. Split-DNS is a specific
type of setup. DNS isn't my best area when it starts getting "deep" so
maybe some of the other guys here can help with that. Here is a link to an
article for using Split-DNS in an ISA invironment:

[Those are underscores, not spaces between the words]
You Need to Create a Split DNS!
http://www.isaserver.org/tutorials/Y...Split_DNS.html

By the way, that is the actual name of the article,...I'm telling you that
you have to do that :-)

> In order to create this I would need to create a stub zone on the DNS
Server
> in the DMZ. As a result of this, I would need to create a server
publishing
> rule in order to allow for the DNS query and DNS zone transfers to occur
> between the two different subnets.

I would think that just a simple stand-alone DNS Server in the DMZ would be
used for resolving names on the DMZ. You LAN's DNS would just have the
DMZ/DNS listed as a Forwarder. Then the DMZ/DNS would have the ISP's DNS
listed as a Forwarder. All your LAN Clients would only list the LAN/DNS
in tier setting and would go to the LAN/DNS, if it doesn't resolve then it
goes to the DMZ/DNS via the Forwarder entry, if it still doesn't resolve
then it goes to the ISP's DNS.

How to: Configure DNS for Internet Access In Windows 2000
http://support.microsoft.com/default...b;en-us;300202

I don't see that there needs to be any "transfers" or any Zones flying
around anywhere, and I don't think there needs to be any kind of "intimate
relationship" between any of the DNS's other then the contents in
Forwarder's lists. Just "Keep It Simple" as the saying goes. But like I
said, DNS isn't my best subject so maybe other may have better ideas.

As far as ISA.....

The outermost ISA would publish any required Servers on the DMZ to the
Public Internet. The innermost ISA would not have any role in that. The
innermost ISA would publish any LAN Server that need to be accessed from the
DMZ. The really bad thing is if a LAN Server needs to be published all the
way out to the Public Internet,...I would, as much as possible, avoid
creating a situation where that needs to be done. It can still be done, but
it seem "messy" to me.

Your LAN clients when accessing resources would not make any distinction
between Servers on the DMZ ans Servers out in Internet-Land,...as far as
they are concerned it is all the Internet. The DMZ just looks like the
Internet to them.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

> Excellent! Try to make it to the next MVP Summit. It was in April
> this last time, it's probably about the same time every year.

Yes Phil, I was planning to be there this year (if time permits, but
I'll try it hard :-)) so maybe we'll meet there next April (if the summit
date won't change btw)

> My MVP is still in the ISA/Proxy which seem to be loosely associated
> with the Security group, but lately I spend most of my time in the more
> general "networking" groups and I try to focus mostly on VPN/Routing
> /Topology issues.

I see :-) I'm "lurking around" in the same fashion (mostly)


> Currently I'm listed on MS's site with a picture at:
>
> Meet the Experts
> http://www.microsoft.com/technet/sec...p/default.mspx
>
> So the picture may help you "spot" me. I'm sure I'll still look about
> as bad next year :-)

That one (not referring to your picture <g>) puzzled me, I've put my profile
infos on the MVP site with "MVP visibility" (no picture yet, will put it
soon)
but I wonder _where_ those infos are visible (i.e. website..)

Ok .. now we're really OT; feel free to drop me a mail, the address
works as long as you remove the "no spam" part ;-)