ancientcontra
Technical User
Ok I have 3 internal DC's that have no access to the internet, and have their forwarders pointing to our ISA server. Normal ADI DNS on all 3.
The ISA server is not in a DMZ, and gets its web traffic from an ISA upstream server, which is in another company.
We have a 100meg link to this company and are only sperated by a liberal firewall The ISA server holds a caching only DNS zone, and has forwarders that point to 2 DNS servers at the same company, which pass all our external queries.
We want to do our own lookups for external names, taking this company out of the equation.
The ISA server will need to be NAT'ed out our cisco ASA firewall to one of our external addresses, so we dont have to rely on an upstream server.
My questions are :
(1) Should I get all external lookups done by the ISA server as it will be NAT'ed out ? then have the forwarders on that server point to our ISP's ? I then change the DNS server on the ISA server to point to itself ? or point to the ISP ?
(2) If the DC's need to do external lookups, do I just allow DNS traffic to these boxes, and use dynamic nat using the firewall's address ?
(3)When are root hints used? if the servers are not NAT'ed do they ever get used ? when the forwarders dont work
I havent done this for a while any help at all would be greatly appreciated.
Nick Cutting
MCSA CCNA A+
The ISA server is not in a DMZ, and gets its web traffic from an ISA upstream server, which is in another company.
We have a 100meg link to this company and are only sperated by a liberal firewall The ISA server holds a caching only DNS zone, and has forwarders that point to 2 DNS servers at the same company, which pass all our external queries.
We want to do our own lookups for external names, taking this company out of the equation.
The ISA server will need to be NAT'ed out our cisco ASA firewall to one of our external addresses, so we dont have to rely on an upstream server.
My questions are :
(1) Should I get all external lookups done by the ISA server as it will be NAT'ed out ? then have the forwarders on that server point to our ISP's ? I then change the DNS server on the ISA server to point to itself ? or point to the ISP ?
(2) If the DC's need to do external lookups, do I just allow DNS traffic to these boxes, and use dynamic nat using the firewall's address ?
(3)When are root hints used? if the servers are not NAT'ed do they ever get used ? when the forwarders dont work
I havent done this for a while any help at all would be greatly appreciated.
Nick Cutting
MCSA CCNA A+