Resolving external IPs locally

We have 2 Windows 2003 boxes with Active Directory and DNS
server on them. Our other servers are setup with these
boxes as their DNS servers. I would like to set up another
DNS zone so that the DNS servers can resolve the IP
addresses of some servers externally (on Internet, outside
the firewall). This is to reduce the amount of entries for
machines that I would have to permit in the firewall ACL
to do DNS lookups. What kind of zone would I setup?
Primary, secondary or stub? Or is there a better way of
achieving this?


GL

Hi,

There is no need for another box. What you can do is open DNS MMC and right
click on the DNS server name. From the menu select the properties and click
on Forwarders tab. Enter IP address of e.g. your ISP DNS server or any other
DNS server on the internet that you want to use for resolving addresses on
the internet.

Next thing to make sure is that you allow DNS queries from your DNS server
to the internet.

Now let say you use internal domain name "domain.com". If user will query
for e.g. a.domain.com where a is name of computer. Since your DNS server is
authoritative for domain.com it will look into his own DNS and answer back
with information about a.domain.com.
User is then interested in DNS address for e.g. www.cnn.com. Again client's
DNS settings (under TCP/IP configuration) point to your Active Directory
DNS. Your Active Directory DNS will receive query for www.cnn.com and since
it doesn't know anything about *.cnn.com it will forward the query to the
server configured under Forwarders...

I hope this helps,

Mike

"GL" <(E-Mail Removed)> wrote in message
news:92cc01c4d2d1$c8217450$(E-Mail Removed)...
> We have 2 Windows 2003 boxes with Active Directory and DNS
> server on them. Our other servers are setup with these
> boxes as their DNS servers. I would like to set up another
> DNS zone so that the DNS servers can resolve the IP
> addresses of some servers externally (on Internet, outside
> the firewall). This is to reduce the amount of entries for
> machines that I would have to permit in the firewall ACL
> to do DNS lookups. What kind of zone would I setup?
> Primary, secondary or stub? Or is there a better way of
> achieving this?

Mike

Thank you for the information, I will setup forwarding as
you have suggested. However there are additional domains
(that belong to us) that our DNS servers have to resolve
to ip addresses. Our DNS servers are not authoritive for
these domains but we do require a method whereby our other
servers can resolve records from these domains. I have set
up a primary zone for these other domains but was
wondering if this was the correct zone type?

Regards

Gary

Hi,

In situation that you describe, you should not use Primary Zone (an option
would be a secondary zone).

What I would probably do in your case is use Conditional Forwarding. This
feature that comes with Windows 2003 DNS service enables you to specify
which DNS server should be contacted for specific domain.

To configure conditional forwarding again open DNS MMC and right click on
name of DNS server and select properties from the menu. Click on Forwarders
tab and click on New button. Enter name of domain that you need to resolve
(e.g. abc.com) and in window below enter IP address of DNS server for
abc.com and then click Add. Repeat this for every "internal" domain that you
need to resolve.

http://freeweb.siol.net/mpihler/dns.jpg

Remember, you don't have to enter DNS names for e.g. www.cnn.com if you
already configured forwarders (part under "All other DNS domains") and
entered IP address of DNS server on the internet (e.g. your ISP's DNS).

Your client's should only have your active directory DNS configured as
preferred DNS (configuration under TCP/IP properties).

Feel free to post back with any additional questions...

I hope this helps,

Mike

"GL" <(E-Mail Removed)> wrote in message
news:89d701c4d2ed$b7d46a50$(E-Mail Removed)...
> Mike
>
> Thank you for the information, I will setup forwarding as
> you have suggested. However there are additional domains
> (that belong to us) that our DNS servers have to resolve
> to ip addresses. Our DNS servers are not authoritive for
> these domains but we do require a method whereby our other
> servers can resolve records from these domains. I have set
> up a primary zone for these other domains but was
> wondering if this was the correct zone type?
>
> Regards
>
> Gary