RE: Internal DNS best practices
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 4 Oct 2005 11:02:41 -0500
Hi Danny,
What I would do it put a caching only DNS server on the ISA firewall and
allow it to perform recursion. Then use that as a forwarder for the
internal DNS servers. If you don't want to do that, then commission a
DNS server that is not your Active Directory DNS server (dedicated, that
is) and use that as a forwarder.
Then create Access Rules allowing the required DNS traffic from the
specific hosts requiring that access.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx]
> Sent: Tuesday, October 04, 2005 10:39 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Internal DNS best practices
>
> http://www.ISAserver.org
>
> On 10/4/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > It depends.
> >
> > What do you want to do?
>
> Have the most efficient and secure DNS configuration as possible with
> the following network setup:
>
> Internet
> |
> |
> v
> ISA Server - Integrated Mode
> |
> |
> LAN + Servers
>
> Currently there are two AD DNS servers on the LAN, both of them have
> their TCP/IP DNS client settings pointing to localhost and the ISP's
> DNS server. Both of them also have their DNS server settings with no
> DNS forwarder specified.
>
> The current ISA 2000 server is in its own forest, has no DNS
> forwarder, but the external NIC has both of the ISP's DNS servers
> specified, and the internal NIC only points to localhost (its own DNS
> server).
>
> I was thinking it would be best to have all of the LAN DNS servers
> forward their requests to the new ISA (2004; replacing ISA 2000)
> server, which would be a secondary DNS server for AD and forward to
> the ISP for external requests.
>
> ...D
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.11.0/103 - Release
> Date: 9/15/2005
>
>
Other related posts:
