The use of the Domain Name System (DNS) to resolve TCP/IP names and addresses has exploded with the deployment of NAT (Network Address Translation) and the growth of TCP/IP as the primary protocol for networks. Unfortunately, it’s a bit of a headache to get DNS to properly resolve names for your internal network as well as Internet and company resources outside your firewall. To solve this problem, you can configure Windows 2000’s DNS to act as a split DNS, resolving names both internally and externally to your network. In this Daily Feature, I’ll show you how it works.
Split DNS helps resolve internal and external names
When you connect your network to the Internet, you need name resolution services that work for both internal and external clients—especially if you have services located either in your firewall’s DMZ or behind the firewall on a corporate LAN. A typical network configuration connected to the Internet through a DMZ is shown in Figure A.
In split DNS, you set up a locally administered DNS server with a small zone file that only has entries for resources located behind the firewall. You configure the DNS server to answer all requests from workstations on the local network and forward any requests that can’t be resolved to the external name servers.
Split DNS has a number of benefits. First, you can access local resources as seamlessly as external resources, without the need to set up hosts or lmhosts at your workstations. Second, since local workstations will use the internal DNS servers as their primary means of name resolution, the DNS server addresses at each workstation don’t need to be changed if the external DNS server’s IP address changes.
Configuring split DNS on your Windows 2000 server
If you’re using Active Directory and opt for the Windows 2000 DNS server, you’re ready to implement split DNS. If you haven’t yet started using Active Directory, you can still use Windows 2000 to set up split DNS. First make sure you’ve deployed DNS on a Windows 2000 server.
To install DNS services on a Windows 2000 server that doesn’t use Active Directory, click Start | Settings | Control Panel | Add/Remove Programs. When the Add/Remove Programs screen appears, choose Add/Remove Windows Components in the left-hand windowpane.
From the Windows Components Wizard, double-click Networking Services from the list to bring up a list of the networking subcomponents. Scroll through the list, check the box for Domain Name System (DNS), and click OK.
Click Next to complete the installation of DNS services. You may be prompted for the Windows 2000 Server CD ROM. When DNS is finished installing, click Finish to complete the process. DNS is now installed and running on your Windows 2000 Server.
The remaining examples will use zone-file-based DNS rather than Active Directory integrated zones. We’ll create a sample zone called example.com.
DNS entries are all placed into zone files. Zone files hold all records associated with a particular domain. For example, a record inside the techrepublic.com zone file is www, which corresponds to www.techrepublic.com.
To start the DNS manager in Windows 2000, go to Start | Programs | Administrative Tools | DNS. The DNS Microsoft Management Console (MMC) will appear. To create the zone, right-click the folder marked Forward Lookup Zones and choose New Zone. This will start the New Zone Wizard.
The New Zone Wizard’s first screen asks for the Zone Type. In this example, you’ll create a Standard Primary zone. If you were using Active Directory, you could create an Active Directory-integrated zone instead. An Active Directory-integrated zone inherits the benefits of Active Directory, such as replication. For a secondary DNS server, you’d create a Secondary Zone, which would receive information from the primary zone to seed its database. Click Next to continue.
The next screen asks for the zone name. Enter the name for your zone and click Next. The wizard will then prompt you for a zone file. If you were copying a zone from another DNS server, you could use a dump from that server’s database or create a new file. Since you’re creating a new file, choose that option and click Next .On the next screen, click Finish to complete the installation.
After you create the zone, you need to configure the DNS server to forward the requests it can’t resolve to other DNS servers. To do this, right-click on the name of the DNS server in the DNS MMC and choose Properties. With the property page open, click on the tab marked Forwarders. You’ll see a screen similar to Figure B.
To configure the DNS service to forward queries to other DNS servers, select the Enable Forwarders checkbox. You must also enter one or more IP addresses into the IP Address list. These IP addresses must correspond to external DNS servers.
In addition to setting up forwarding for your DNS server, you may have to create records in the zone to reflect network resources. To create a local record for this Web server, right-click the name of your domain under the Forward Lookup Zones and choose New Host. You’ll then see the screen shown in Figure C.
Once you’ve created records for your internal machines, you need to point your internal clients to your new DNS server, either by manually configuring your workstations to look at the DNS server or by setting up DHCP and configuring DNS information on the DHCP server.
Split the difference
It’s as simple as that! Split DNS will help you overcome name resolution headaches. There are other things you can do to improve name resolution performance in your organization. For example, you might consider adding internal DNS records that point to your external services along with their public IP addresses. This removes one hop from the name resolution process for services that your users depend on, but it will add a step to the process if you need to change one of those IP addresses down the line.