General discussion

Locked

DNS namespace considerations in Win2K

By ktamayo ·
I am in the process of upgrading our corporate domain from NT 4.0 to Windows 2000. My question is regarding choosing the domain name/DNS namespace during the Win2K migration. We are currently on the internet with a registered domain name, <mycompany>.org. What would be the considerations in choosing the internal namespace for our domain? What are the pros and cons of having it the same as our external (registered) namespace? Thanks in advance for your help.

Kelvin Tamayo
Network Administrator
MCSE NT 4.0 and Win2K

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DNS namespace considerations in Win2K

by ewgny In reply to DNS namespace considerati ...

I would suggest that you consider using your registered Domain on your DMZ and using xyz.yournamespace.com on your internal Network. This will give you a lot more security options, such as putting a DNS bastion host on your DMZ.
I will add some links for you read when I get home.

Collapse -

DNS namespace considerations in Win2K

by ktamayo In reply to DNS namespace considerati ...

What exactly is a DNS bastion host?

Collapse -

DNS namespace considerations in Win2K

by ewgny In reply to DNS namespace considerati ...

I guess it was more important to reject my answer instead of waiting for me to add the links I told you I would do. A Bastion Host is a box that sits outside of your internal Network. it is your part of your first line of defense against attack
A bastion hostYour internal network will communicate with the external network only through this host. A bastion host can a DNS server, a SMTP relay server etc.
There are security advantages of putting a DNS server on the DMZ as a forwarder. When a DNS client in your network sends a recursive query to to your internal DNS server, your internal DNS server first checks to see if it is authoratative for the zone for the request. If not it checks its cache. If the data is not cached, your internal DNS server will issue iterative queries to external DNS servers until the recursion is complete. The IP datagrams from these queries contain information about your internal network. Source and destination IP. A hacker could potentially obtain your internal networks service records, host names etc.
By configuring a DNS forwarder on your DMZ the job of recursion can be passed to the forwarder, (disable recursion on your internal DNS)and no internal network information is exposed to the outside. Bysetting up your DNS/Domain Name structure so that your internal network resides on a sub domain of you registered domain name will give you future security options. It's just as easy to set up, and as you must know since you are a win2k MCSE you can't change your domain Name
until .NET arrives, even then it won't be cake
Read up - revisit Microsoft course # 1561
Don't bother rating my answer please.

Collapse -

DNS namespace considerations in Win2K

by ktamayo In reply to DNS namespace considerati ...

Poster rated this answer

Collapse -

DNS namespace considerations in Win2K

by ktamayo In reply to DNS namespace considerati ...

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums