General discussion

Locked

DNS and Firewall

By maharajv ·
I have a DNS issue. I have three DNS Servers, all Win2k with NO AD. Currently my primary DNS server machine is sitting in the DMZ, and I have two other internal DNS servers (Secondary) that are residing within the LAN. The DMZ DNS server is being NATed to a 196. address to the WWW, but within the DMZ it has an IP in te 172 range. Now this is the problem. When you startup DNS on the DMZ DNS server, it registers both its IP Adress' to itself and this is replicated to the internal boxes. The problem exists in that the DNS hints contain lookup's for both address and this is thus causing routing problems for mail and other services via the firewall. Is it possible for me to configure the server such that on startup/ restart it does not registerits internal 172 address but register ONLY the 196 address? Help.......

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DNS and Firewall

by maharajv In reply to DNS and Firewall

Point value changed by question poster.

Collapse -

DNS and Firewall

by ewgny In reply to DNS and Firewall

The problem is that your DMZ DNS server should not be the primary DNS for your internal DNS servers. The whole point of having a DMZ DNS server, is to isolate your internal DNS servers from the internet. When you move to Active Directory, all of your service records in DNS will be on your DMZ sever! Since you don't have Active directory yet you have the opportunity to set your namspace up properly from the beginning.
Your DMZ DNS could be authoratative for xyz.com
whereas your internal DNS name could be abc.xyz.com

Collapse -

DNS and Firewall

by maharajv In reply to DNS and Firewall

Sorry but the problem was with the initial DNS design, which has been corrected since then.

Collapse -

DNS and Firewall

by curlergirl In reply to DNS and Firewall

Basically, I agree with the previous answer in a philosophical sense. However, there is an easy way to prevent the registration of your second IP address on this server, provided that the two addresses are on two separate NICs. If they're not, they should be, so get a second NIC and put it in. Then, go to the properties of the NIC that has the 172 address, go to the IP properties, click the Advanced button, go to the DNS tab, and you'll see a checkbox at the bottom for "Register this connection's addresses in DNS". This is checked by default to allow DDNS (dynamic DNS), which is what causes the automatic registration of the address. Remove the checkmark and it will not register itself again. Then, you will have to manually remove thealready-registered address from your DNS zone and wait for it to replicate. Hope this helps!

Collapse -

DNS and Firewall

by maharajv In reply to DNS and Firewall

Sorry but the problem was with the initial DNS design, which has been corrected since then.

Collapse -

DNS and Firewall

by maharajv In reply to DNS and Firewall

This question was closed by the author

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums