Split DNS Configuration
- By Bill Boswell
- July 20, 2004
Recently we have implemented Windows 2003 Active Directory
from NT 4.0 in which my NT DNS servers forwarded to our ISP's DNS servers for
external name resolution. I still do that with our AD DNS servers and
am starting to see problems.
My proposed solution is to implement DNS servers on the DMZ that do the forwarding
to the ISP. However, for internal name resolution, I was going to use
a split DNS configuration on the TCP/IP properties of the clients, with the
first DNS server as the internal AD server, and the secondary and tertiary DNS
as the DNS forwarding servers in the DMZ. Would this be an optimal configuration
or would it pose performance and security problems?
Also, should the DMZ caching servers forward to my ISP's DNS servers, let them
cache from the root servers, or both?
A.J.: Here's the problem I see with your proposed configuration.
If the clients can't get access to the primary server (which hosts the SRV records
for Active Directory), they'll fall back on a public server that doesn't have
these records. This can cause authentication and other problems that would be
difficult to diagnose.
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:firstname.lastname@example.org;
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
A better solution would be to maintain two DNS servers in the private network,
both of which forward to the caching server in the DMZ. If you use AD-integrated
DNS zones, you can use the second domain controller as the second DNS server.
The caching server in the DMZ should only forward to your ISP. It should not
have root hints and should not be authoritative for your public DNS domain.
Hope this helps...
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.