Archived from groups: microsoft.public.win2000.dns (
More info?)
"sheaff" <sheaff@discussions.microsoft.com> wrote in message
news:1C9FD4FA-9230-4637-9C28-5E533432CF36@microsoft.com...
> Thanks again Herb.
>
> The problem is the DNS I wish to create in the DMZ uses different
addresses than our private network.
You keep saying that like it matters -- for DNS is does NOT
matter.
DNS is an IP service and thus routable. Clients can be on one
network and easily query servers on another -- this happens
millions of times ever day (ever second probably) on the Internet.
Home user query ISP DNS servers that are on another subnet or
even another network.
As long as your IP network is functional (routable) it will be
irrelevant.
> Example
> Private Network 172.16.44.0 /22 network
> DMZ Network 172.16.181.0 /24 network
> So If I create a secondary the address for DCs will not be correct.
What?
As long as your router can deal with those two ranges
then you have no problem.
The ranges do look a bit odd, but there is nothing inherently
incorrect or troublesome about them.
> If I manually do this it won't be so bad.
Huh? You don't have a problem.
> For our VPN users I want access to login to Domain and access resources in
the Domain. I have a total of 2 DCs and network is static.
Then you are depending on you VPN for (virtually) all of your
security. Use a secure authentication mechanism for the VPN,
lile MS-CHAPv2.
--
Herb Martin
>
> thanks,
> Bill
>
> "Herb Martin" wrote:
>
> > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > news:E40EC6C3-D456-4635-B644-5736CBFEA7D7@microsoft.com...
> > > Thanks for the response.
> > >
> > > I have different address (network) in VPN.
> >
> > Why do you mention this?
> >
> > What about different address ranges do you think is
> > important to DNS?
> >
> > > A more clear question, what records do I need to create in the DMZ
DNS?
> > > _gc
> > > _kerberos
> > > _kpassword
> > > _ldap
> >
> > Actually you should NOT "create" any of those but rather make
> > the DMZ a secondary and let it pull them automatically from an
> > internal DNS server.
> >
> > It is impractical to create AND maintain those records accurately.
> >
> > > I wish to put the DNS server in the VPN network, outside of our
private
> > network. Is this the correct plan?
> >
> > Maybe. Once the users "reach" that VPN network, what do
> > you want them to be ABLE to do and UNABLE to do?
> >
> > That is, to which resources should they be granted and denied
> > access?
> >
> > How will they be granted that access? And with that access,
> > who will you ensure they don't have access to other resources?
> >
> >
> >
> >
> > --
> > Herb Martin
> >
> >
> > > "Herb Martin" wrote:
> > >
> > > > "sheaff" <sheaff@discussions.microsoft.com> wrote in message
> > > > news:858D7427-0C07-49D4-ABC1-F39C8FA3D477@microsoft.com...
> > > > > Hello,
> > > > > I want to configure a DNS server so users can log on to
domain(win2k)
> > > > through Cisco VPN client.
> > > >
> > > > > I do not want to put a DC in the DMZ. I would like to put a DNS
> > server
> > > > with server records in this zone.
> > > >
> > > > First, it it is not a DC, just make it a "secondary" (or some
variant*).
> > > >
> > > > > Anyone done this or know of any good resources to find.
> > > >
> > > > What do you want? A DNS server?
> > > >
> > > > > Challanges include that it is a different network with different
IP
> > > > addressing.
> > > >
> > > > That is largely irrelevant to DNS and actually helps in a way,
> > > > since you can use the possible "client" addresses to filter out
> > > > unathenticated requests.
> > > >
> > > > > Security to me is a huge concern.
> > > >
> > > > If you use a secondary, filtered for only those addresses that
> > > > authenticated through the VPN, you pretty much remove the
> > > > threat from any machine than cannot defeat your VPN anyway.
> > > >
> > > > DNS in such a situation is NOT a major source of your security
> > > > concerns -- the VPN server, and the client accounts are much
> > > > higher risks at that point. (Manageable, but much higher than DNS.)
> > > >
> > > > * With Win2003 DNS server you could use a "stub zone" or perhaps
> > > > even "conditional forwarding" but this is not a terrifically
significant
> > > > difference to the overall design. Likewise with BIND you could
> > > > use VIEWS as an adjustment on the DMS DNS server.
> > > >
> > > >
> > > > --
> > > > Herb Martin
> > > >
> > > >
> > > >
> >
> >
> >