DNS Forwarding Question

[amorielljr]

We are going to configure our internal DNS servers (we have one domain and the DNS servers are AD Integrated) to forward requests to a DNS server on our DMZ. Does anyone know of any problems that I might run into when I delete the root zone from my internal DNS servers??

 

[WINDOWSGUY]

i have an d-link router (di-604) and i need to find the external IP ADDRESS of the router- do i need to know this ip address?
Also i cannot get the logon screen to pop up - i tried entering the default Ip address 192.168.0.1 - but says it is not found - thru IE browser? why is that?

 

[amorielljr]

What does that have to do with the question that I posted??

 

[minxca]

Hi,

Do not forward to dmz, forward it to your ISP's DNS Server. Yes it's safe to delete.
Your DNS on DMZ should resolve your public domain ONLY!

 

[ricpinto]

WINDOWSGUY:
Enable NAT and dhcp on your d-link router (read your router's manual) and start your own thread to be fair to amorielljr.

amorielljr:
Additional point on winoto's post, on win2k you have to delete the "." otherwise your forwarders is grayed out. You can't forward anything if your dns server is the root.

 

[devastator]

What does that have to do with the question that I posted??

LAF!!!!!

 

[amorielljr]

Why not forward to a DNS server on my dmz and have that server perform the queries? The only down side I can see in doing that is there's one more DNS server to hit before I get my queries returned.

 

[minxca]

The downside? Dns poisoning. You have to delete root, cache and disable forwarding. Do you want outsider uses your dns to resolve another domain?

 

[GlenJohnson]

Bottom line...Have your dns server point to you're isp's dns server as mentioned by winoto. Have local users pointing to you're local dns server. Here's why. When local users try to access a web site, they hit you're local dns server. If the site is in cache, they get there right away. If it's not in cache, your dns server goes to the isp's server, finds the site and then puts the site in local cache. The next time a user want's to get to that site, it's in the local cache. Users get there faster this way. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
TTinChicago
Johnson Computers

 

[FestusMcShamus]

Why do you need to have a DNS server in your DMZ?
Can't you just use your ISP's DNS for your public records
(e-mail, web, etc....)?
I am curious because we are about to go from NT 4 to A.D.
Thanks for any advice/explanations.

 

[amorielljr]

I have a DNS server on my DMZ because I want to be in control of our external DNS zones and records. We use to use MCI but it took up to 2 days to create and edit zones and records. It is in no way connected to our active directory, in fact it's a RedHat/bind server. We have a separate DNS infrastructure (which is Windows 2003 and is AD integrated) to handle internal DNS requests.

Another question: I ended up having my internal DNS servers forward resolution requests to our ISPs DNS servers. The problem I am now having is that it takes a good 5 seconds for a workstation to get dns resolution. We are on a 100baseT network and connected to the internet via a DS3 (going through Network Load Balanced firewalls) so it's not a network performance problem. I found a couple of Microsoft articles pointing to problems with Windows 2003 DNS service bugs. Has anyone else had this problem and fixed it?