• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Split DNS With Different Namespaces

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Split DNS With Different Namespaces Page: [1]
Login
Message << Older Topic   Newer Topic >>
Split DNS With Different Namespaces - 29.Jan.2010 4:17:39 AM   
TokyoBrit

 

Posts: 31
Joined: 13.Nov.2008
Status: offline
I'm hoping someone could shed some light on my confusion as I plan to implement Split DNS.

The basics are that I would have a couple of DNS servers in the DMZ that are authorative for external queries to the public namespace, like www.example.com, that respond with public IP addresses, and a couple of DNS servers on the internal network that response to internal queries to the public namespace with private IP addresses.

This I get.

But, from what I've read of securing DNS in a Windows Active Directory environment, especially the Microsoft best practices, the external and internal namespaces should be different - example.com for external, and corp.example.com for internal.

That is, the intranet DNS servers wouldn't know about www.example.com as they only have the corp.example.com zone files.

Or is this where I'm wrong?

Also confusing the mix is the fact that Windows Domain Controllers have to have DNS installed, and usually these are regarded as the authoritive DNS for the internal namespace.

None of the articles I've read so far indicate that during the AD domain controller setup you need to add a second zone for the external namespace if you are implementing split DNS.

Does having different internal/external namespaces and split DNS mean I have to have DNS servers on the internal network seperately from the domain controllers?

Even Dr. Shinders ISA 2006 Migration Guide doesn't show where the AD DC's are located. It seems to indicate that the internal DNS servers are completely separate, but then goes on to say that they should be AD integrated zones for improved security and for controlling access to Firewall clients.

To say it's doing my head in is an understatement.
Post #: 1
RE: Split DNS With Different Namespaces - 29.Jan.2010 4:23:26 AM   
ThomasNexoe

 

Posts: 48
Joined: 11.Aug.2007
From: Denmark
Status: offline
Use example.local for the internal dns and example.com for the external/public dns.
The local dns servers should use the external dns servers in the dmz as forwarders for external name resolution on zones other than example.local.

Cheers!

_____________________________

Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net

(in reply to TokyoBrit)
Post #: 2
RE: Split DNS With Different Namespaces - 29.Jan.2010 7:41:01 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
That used to be the thinking. Old hat now. No probs with internal & external namespaces being the same.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to ThomasNexoe)
Post #: 3
RE: Split DNS With Different Namespaces - 29.Jan.2010 11:01:54 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

like many others things on IT, I would say it depends on your scenario.

SplitDNS has great advantages when comes to use common resources from internal and external networks, like OWA, RPC/HTTP(S), Web servers and so on.

On the other hand, many people still like to use different internal and external DNS names. Maybe thinking about security reasons, but thereīs no security risks in SplitDNS infra-structure.

A scenario that I can think of, IMHO, to not use splitDNS is when you have to establish a site-to-site VPN with other company. It would make DNS configuration a bit easier, because you donīt have to worry about name resolution for external resources on your external domain.

Some time ago I used to think the best option was not to use SplitDNS, but now I consider what I wrote above.

Either way you decide you have to have two different DNS servers (one for internal and one for external).

It is not a MUST install DNS server on a DC, but to run DCPROMO you MUST have a DNS server properly configured. For means of save money and servers most of people install DNS/DHCP on a DC.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TokyoBrit)
Post #: 4
RE: Split DNS With Different Namespaces - 29.Jan.2010 2:35:52 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The basics are that I would have a couple of DNS servers in the DMZ that are authorative for external queries to the public namespace, like www.example.com, that respond with public IP addresses, and a couple of DNS servers on the internal network that response to internal queries to the public namespace with private IP addresses.
This I get.

No you didn't.  You missed that.  But it is easy to do.  Most of the articles out there for Split-DNS are horribly misleading or are out of date (old school thinking),...or they only consider one kind of network (usually some massive Corp monster).

All you need is the AD DNS's sitting on the LAN that you already have.  You do not need any other DNS's on the External or DMZ side. You do not need DNS installed on the ISA or any kind of other DNS caching scheme. The "other" DNS is your ISP's DNS and you do not have to touch it, maintain it, or worry about it at all for the most part aside from the fact that you want to know and have documented what they have listed on it for your domain.  This fact is why you noticed the following from Tom's articles when you said,..."Even Dr. Shinders ISA 2006 Migration Guide doesn't show where the AD DC's are located"

It is painfully simple,..so simple it hurts:

1. If your AD Domain Name matches the spelling of your Public Domain Name then all you do is add the Host Records for your public presents,...in other words just duplicate the Host Records, that the ISP has, on your normal AD Zone that is already there.   That is it,...your Done.

2.  If your AD Domain Name is spelled differently than your Public Domain Name then the only difference is that you create a new Zone in the AD DNS to match the Public Name.  Then you add the Hosts Records (to this Zone) just like above.  MX Records and most other records do not need to be done.  The zone does not have to be AD enabled,...that s just a personal choice.  Mine is not.

_____________________________

Phillip Windell

(in reply to TokyoBrit)
Post #: 5
RE: Split DNS With Different Namespaces - 29.Jan.2010 2:40:00 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Addition...

If you have hosts on your LAN that have services published to the internet,...like OWA, Web Sites, or whatever,...then you want your LAN users to resolve the FQDNs to the private IP# that the server is actually on (not the public IP#).  That would be the one difference between the hosts records on your machine -vs- the host records on the ISP's DNS.

The idea is that you want the LAN user to go directly to the Resource,....they should not try to go through the ISA to get there.

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 6
RE: Split DNS With Different Namespaces - 29.Jan.2010 11:13:46 PM   
TokyoBrit

 

Posts: 31
Joined: 13.Nov.2008
Status: offline
Wow. Am I out of touch or what?

OK. First, the reason for split DNS...

We're a software house that has developed, and continue to expand upon, several HRMS SaaS solutions.

Our payroll SaaS is used by our business process outsourcing department to handle the payroll for those of our customers that don't want to do the work themselves.

As such, it makes it easier and less error-prone if our BPO staff use exactly the same URL to access the system as our customers do, which they can do now but then the web traffic goes out through one ISA Server acting as a web proxy, and back in through another ISA server acting as a firewall.

We also create new child public FQDN's on a regular basis, for those customers that contract for the more secure options, like customer.bpo.example.com, as well as new SaaS offerings, all of which currently require us to contact our ISP and *pay* to have them add the DNS records, and then wait 48 hours.

We are also looking at deploying a SharePoint site for customer use sometime this year.

So, given that the need for split DNS is there, which way do I do it?

The Windows Server 2008 Step-By-Step Guide for DNS in Small Networks says:

"For your internal domains, create names that are related to your registered Internet DNS domain name. For example, if you register the Internet DNS domain name contoso.com for your organization, use a DNS domain name such as corp.contoso.com for the internal, fully qualified DNS domain name and use CORP as the NetBIOS name."

But goes no further than the initial setup of the internal namespace on the first domain controller.

If all my clients point to the domain controller for name resolution, then it must point at the ISP's DNS to resolve external names, but that's a very big no-no.

So where does the internal DNS server point to to resolve external DNS queries?

My thought was the external DNS server in the DMZ, and that leads me back to my original post.

(in reply to pwindell)
Post #: 7
RE: Split DNS With Different Namespaces - 30.Jan.2010 8:14:10 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
1. You pay your ISP for updating DNS??? Move to a free option such as freedns, or host your own public DNS servers.
2. Call your internal domain anything you like....
3. setup whatever arecords you need in a new zone that mirrors the mane opf your public FQDN add A records, cnames in that zone to point to the internal ip addresses of your resources.

That'll take care of internal resolving....

Your internal dns servers should be resolving DNS for all your external requests, either directly to the interwebs, or by using your ISP hosters IP's in the forwarding tab.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to TokyoBrit)
Post #: 8
RE: Split DNS With Different Namespaces - 30.Jan.2010 9:37:42 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:

As such, it makes it easier and less error-prone if our BPO staff use exactly the same URL to access the system as our customers do, which they can do now but then the web traffic goes out through one ISA Server acting as a web proxy, and back in through another ISA server acting as a firewall.

After your above statement, I would go for SplitDNS.
About how to configure SplitDNS, I use to do like this:

For internal clients resolve internal and external names:
- Install DNS server on a DC;
- Configure Internal DNS server to forward requests to ISP or some other reliable DNS server (such as OpenDNS);

For external clients resolve your external DNS name:
- Either host a DNS server on a DMZ or choose an ISP that do it for free, Like Steve pointed;

Also, you can take a look at some great articles for DNS configuration for ISA firewall:

http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

http://www.isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part1.html

http://technet.microsoft.com/en-gb/library/cc302590.aspx

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to TokyoBrit)
Post #: 9
RE: Split DNS With Different Namespaces - 31.Jan.2010 8:11:00 PM   
TokyoBrit

 

Posts: 31
Joined: 13.Nov.2008
Status: offline
Thank you for all the comments. It's starting to come together.

quote:

1. You pay your ISP for updating DNS??? Move to a free option such as freedns, or host your own public DNS servers.


This is a good part of why we are doing this. We want to host our own public DNS servers, and as such, those enternal servers need to be protected and in our DMZ. I don't think there is any doubt that we want to implement split DNS. My question is really a matter of how... as a best practice.

quote:

Also, you can take a look at some great articles for DNS configuration for ISA firewall:

http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

http://www.isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part1.html

http://technet.microsoft.com/en-gb/library/cc302590.aspx


Those were a good read, although I've read the Definitive Guide a couple of times already trying to make sense of it, but then realised it's only for outbound.

So lets say my AD domain namespace is corp.example.com, so there will be 2 DNS zones on the domain controllers for that namespace - corp.example.com and _msdcs.corp.example.com.

I need to add a new zone called example.com, that will hold all the A host records of the Internet facing services. Now the domain controllers respond with the IP address of those hosts rather than our ISP DNS.

Hmm. Looking at our current config, it looks like the DC's forward non-answered queries to our ISA web proxies, but they have no zones so all queries get forwarded to our ISP's DNS.

By adding the example.com namespace to the ISA proxy array I can get an authorative response to the client before the DNS resolver contacts the ISP, and give them the internal IP address instead of the external one as we do now.

OK. I then need to add an external DNS server that will respond to outside queries for example.com, and that DNS server only performs zone transfers with the other external DNS servers - we would end up having 4 - 2 at the primary site and 2 at the secondary site.

Sorry this is a bit long. Wanted to put down my thinking so others can steer me right if I made a mistake in my logic.

(in reply to SteveMoffat)
Post #: 10
RE: Split DNS With Different Namespaces - 1.Feb.2010 7:28:09 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Unless you have DNS servers on your ISA servers, then all DNS queries should go to your internal DNS servers. There should be no DNS server entries on the external facing NIC's. Apart from that it looks like you've got it.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to TokyoBrit)
Post #: 11
RE: Split DNS With Different Namespaces - 1.Feb.2010 7:52:22 PM   
TokyoBrit

 

Posts: 31
Joined: 13.Nov.2008
Status: offline
Actually, we do have DNS on the internal NIC of the web proxy ISA, which has forwarders to the ISP's name servers via the external NIC.

The clients are setup with the local domain controller as primary DNS and the web proxy as secondary DNS.

This is to allow us to use our SFTP client software to connect to SFTP file servers on the Internet.

Is there anything special I need to do, in co-ordination with the ISP, to ensure that our new external DNS servers are authorative for our domain? Basically, we need to setup inbound DNS.

(in reply to SteveMoffat)
Post #: 12
RE: Split DNS With Different Namespaces - 2.Feb.2010 8:31:25 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
You need to change who hosts your DNS via your domain registrar.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to TokyoBrit)
Post #: 13
RE: Split DNS With Different Namespaces - 2.Feb.2010 2:10:38 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Actually, we do have DNS on the internal NIC of the web proxy ISA, which has forwarders to the ISP's name servers via the external NIC.

No.  Internal Nic points to the Internal AD DNS only
External Nic is blank.

The clients are setup with the local domain controller as primary DNS and the web proxy as secondary DNS.

The "web proxy" is not a DNS at all,..secondary or otherwise.
All clients,..every last one of them,...uses only the AD/DNS and nothing else,...ever.
Within the config of your AD DNS Service Properties add the External DNS to the Forwarder's list.  Make sure ISA is configured to allow the AD/DNS to make outbound DNS queries.

Then after all that you still have to create the proper entries and maybe even Zones to the AD/DNS to cover the split DNS.  Handling your own Public DNS -vs- having someone else do it does not change that fact.

Is there anything special I need to do, in co-ordination with the ISP, to ensure that our new external DNS servers are authorative for our domain?

Aside from the fact that I think doing this yourself is a mistake,....do what Steve said.....





_____________________________

Phillip Windell

(in reply to TokyoBrit)
Post #: 14
RE: Split DNS With Different Namespaces - 16.Feb.2010 4:56:04 PM   
mminer

 

Posts: 4
Joined: 21.Dec.2006
Status: offline
I dont know why so easy stuff you complicated.
Split DNS

For Example
In DMZ you have server web with IP adress 192.168.50.2

Naturly you publish this adress via ISA or whatever ...
And you put in public DNS www.example.com 213.xxx.xxx.xxx
Your public adress of ISA or router.
That is FIRST DNS.

SECOND DNS
In internal dns you
create www.example.com and adress 192.168.50.2
That is SPLIT DNS
When you are in internal network your client first talk to yours internal DNS server and got response that www.exaple.com is 192.168.50.2
And When you at home--- you got response from public dns for www.example.com 213.xxx.xxx.xx :)

(in reply to TokyoBrit)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Split DNS With Different Namespaces Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts