Sign in with
Sign up | Sign in
Your question

DNS client setting in the DNS servers behind firewall

Last response: in Windows 2000/NT
Share
August 9, 2004 8:28:42 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I have pri & sec DNS w/o AD & not DC just the standalone servers.

1. In their NICs, for pri & alternate DNS setting...do I have to use:

pri: Primary DNS IP
alternate: Secondary DNS IP
for PRI & SEC DNS servers?

Or something else?

2. Other thing, these DNS behind firewall so there are NAT/internal IPs &
public IPs.
Which one do I have to use in the pri & alternate DNS setting (in TCP/IP
properties) ??

3. If let say both of the DNS has dual homed, so the pri & alternate DNS
setting (in TCP/IP properties)

Internal NIC:
- Pri: LAN/internal NIC IP (public IP)
- Alternate: empty

External NIC:
- Pri: LAN/internal NIC IP (public IP)
- Alternate: empty
with forwarder to ISP DNS IP

is that correct?

Please correct me if I am wrong.

Rgds,
John
Anonymous
August 9, 2004 10:32:33 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:ecjjU8kfEHA.3964@TK2MSFTNGP12.phx.gbl,
Joe <joebio91@hotmail.com> wrote their comments
Then Kevin replied below:
> I have pri & sec DNS w/o AD & not DC just the standalone
> servers.
>
> 1. In their NICs, for pri & alternate DNS setting...do I
> have to use:
>
> pri: Primary DNS IP
> alternate: Secondary DNS IP
> for PRI & SEC DNS servers?

It makes no difference if Dynamic DNS is not being used.

>
> Or something else?
>
> 2. Other thing, these DNS behind firewall so there are
> NAT/internal IPs & public IPs.
> Which one do I have to use in the pri & alternate DNS
> setting (in TCP/IP properties) ??

Are the DNS servers you are referring to hosting Public zones for public
domains?
If they are and you are behind NAT you cannot use either of these DNS
servers for your local Network DNS resolution because being behind NAT all
your servers will need to be accessed by their private IP addresses.

>
> 3. If let say both of the DNS has dual homed, so the pri
> & alternate DNS setting (in TCP/IP properties)

As long as AD is not in use and Dynamic DNS is not in use multi-homing has
no affect, but as I said if these two DNS servers are for public use they
won't resolve local machines. You need a third DNS server for local
resolution.

You could make one DNS server for local resolution and the other for public
resolution, in that case, all your local machines must point to the DNS
server that has the records for the local network, and NAT incoming DNS
requests to the DNS server that has the public records. Do not attempt to
make MS DNS act as dual role resolving both internal names and public names
on the same DNS server. If you publish private records in a public zone DNS
resolution will be inconsistent, at best.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
August 10, 2004 3:52:17 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Oh ya....do I need to fill in "DNS suffix for this connection" ?
how about "register this...." & "use the connection..."
Do I also has to set the same setting for both of the NIC (dual homed DNS)?

Joe


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:eljIukmfEHA.904@TK2MSFTNGP09.phx.gbl...
> In news:ecjjU8kfEHA.3964@TK2MSFTNGP12.phx.gbl,
> Joe <joebio91@hotmail.com> wrote their comments
> Then Kevin replied below:
> > I have pri & sec DNS w/o AD & not DC just the standalone
> > servers.
> >
> > 1. In their NICs, for pri & alternate DNS setting...do I
> > have to use:
> >
> > pri: Primary DNS IP
> > alternate: Secondary DNS IP
> > for PRI & SEC DNS servers?
>
> It makes no difference if Dynamic DNS is not being used.
>
> >
> > Or something else?
> >
> > 2. Other thing, these DNS behind firewall so there are
> > NAT/internal IPs & public IPs.
> > Which one do I have to use in the pri & alternate DNS
> > setting (in TCP/IP properties) ??
>
> Are the DNS servers you are referring to hosting Public zones for public
> domains?
> If they are and you are behind NAT you cannot use either of these DNS
> servers for your local Network DNS resolution because being behind NAT all
> your servers will need to be accessed by their private IP addresses.
>
> >
> > 3. If let say both of the DNS has dual homed, so the pri
> > & alternate DNS setting (in TCP/IP properties)
>
> As long as AD is not in use and Dynamic DNS is not in use multi-homing has
> no affect, but as I said if these two DNS servers are for public use they
> won't resolve local machines. You need a third DNS server for local
> resolution.
>
> You could make one DNS server for local resolution and the other for
public
> resolution, in that case, all your local machines must point to the DNS
> server that has the records for the local network, and NAT incoming DNS
> requests to the DNS server that has the public records. Do not attempt to
> make MS DNS act as dual role resolving both internal names and public
names
> on the same DNS server. If you publish private records in a public zone
DNS
> resolution will be inconsistent, at best.
>
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ================================================
> --
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ================================================
> http://www.lonestaramerica.com/
> ================================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ================================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ================================================
>
>
Related resources
August 10, 2004 7:54:49 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:eljIukmfEHA.904@TK2MSFTNGP09.phx.gbl...
> In news:ecjjU8kfEHA.3964@TK2MSFTNGP12.phx.gbl,
> Joe <joebio91@hotmail.com> wrote their comments
> Then Kevin replied below:
> > I have pri & sec DNS w/o AD & not DC just the standalone
> > servers.
> >
> > 1. In their NICs, for pri & alternate DNS setting...do I
> > have to use:
> >
> > pri: Primary DNS IP
> > alternate: Secondary DNS IP
> > for PRI & SEC DNS servers?
>
> It makes no difference if Dynamic DNS is not being used.

My point is do I have to put just
pri: Primary DNS IP
alternate: Secondary DNS IP
OR
pri: Primary DNS IP
alternate: blank
OR
it doesn't matter

As per #2
So the IP address I put it in should be private IP or public IP of that DNS
servers itself? both of pri & alternate need to fill in?
>
> >
> > Or something else?
> >
> > 2. Other thing, these DNS behind firewall so there are
> > NAT/internal IPs & public IPs.
> > Which one do I have to use in the pri & alternate DNS
> > setting (in TCP/IP properties) ??
>
> Are the DNS servers you are referring to hosting Public zones for public
> domains?
Yes, these servers just for public domain only not local query.

> If they are and you are behind NAT you cannot use either of these DNS
> servers for your local Network DNS resolution because being behind NAT all
> your servers will need to be accessed by their private IP addresses.
>

4. For other servers in our servers farm which hosting the websites for the
domains that have zone files in these pri & sec DNS, the DNS client setting
need to use ISP DNS not our pri & sec DNS then, is it correct?
Or that's ok if we use public IP of these DNS ??
Anonymous
August 10, 2004 9:05:31 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uPkkGGvfEHA.3700@TK2MSFTNGP12.phx.gbl,
Joe <joebio91@hotmail.com> wrote their comments
Then Kevin replied below:
> Oh ya....do I need to fill in "DNS suffix for this
> connection" ?
> how about "register this...." & "use the connection..."
> Do I also has to set the same setting for both of the NIC
> (dual homed DNS)?

You would need to clarify, the use of the DNS servers.
Are the zones for public zones for public users?
or
Are the zones for internal users resolving local resources?



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Anonymous
August 10, 2004 9:18:39 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23zPJoNxfEHA.3700@TK2MSFTNGP12.phx.gbl,
Joe <joebio91@hotmail.com> wrote their comments
Then Kevin replied below:
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US>
> wrote in message
> news:eljIukmfEHA.904@TK2MSFTNGP09.phx.gbl...
>> In news:ecjjU8kfEHA.3964@TK2MSFTNGP12.phx.gbl,
>> Joe <joebio91@hotmail.com> wrote their comments
>> Then Kevin replied below:
>>> I have pri & sec DNS w/o AD & not DC just the standalone
>>> servers.
>>>
>>> 1. In their NICs, for pri & alternate DNS setting...do I
>>> have to use:
>>>
>>> pri: Primary DNS IP
>>> alternate: Secondary DNS IP
>>> for PRI & SEC DNS servers?
>>
>> It makes no difference if Dynamic DNS is not being used.
>
> My point is do I have to put just
> pri: Primary DNS IP
> alternate: Secondary DNS IP
> OR
> pri: Primary DNS IP
> alternate: blank
> OR
> it doesn't matter

It does not matter as long as the DNS server is for the local network.

>
> As per #2
> So the IP address I put it in should be private IP or
> public IP of that DNS servers itself? both of pri &
> alternate need to fill in?

Use the Private IP in the NIC


> 4. For other servers in our servers farm which hosting
> the websites for the domains that have zone files in
> these pri & sec DNS, the DNS client setting need to use
> ISP DNS not our pri & sec DNS then, is it correct?
> Or that's ok if we use public IP of these DNS ??

I think you are confusing the issue, the issue is are your DNS servers for
use as Authoritative zones for public domains?
All the machines in your "farm" must use a local DNS server in their NICs
that have zones publishing private records so the machines can "talk" to
each other. These machines will not be able to communicate with each other
or access the sites on them using DNS data that is intended for public use.
IOW, they cannot communicate using the public IP addresses, the machines
themselves can only use local addresses.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
August 11, 2004 12:51:28 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Zone public for public user

Joe


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:uKHpoYyfEHA.2764@TK2MSFTNGP11.phx.gbl...
> In news:uPkkGGvfEHA.3700@TK2MSFTNGP12.phx.gbl,
> Joe <joebio91@hotmail.com> wrote their comments
> Then Kevin replied below:
> > Oh ya....do I need to fill in "DNS suffix for this
> > connection" ?
> > how about "register this...." & "use the connection..."
> > Do I also has to set the same setting for both of the NIC
> > (dual homed DNS)?
>
> You would need to clarify, the use of the DNS servers.
> Are the zones for public zones for public users?
> or
> Are the zones for internal users resolving local resources?
>
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ================================================
> --
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ================================================
> http://www.lonestaramerica.com/
> ================================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ================================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ================================================
>
>
August 11, 2004 12:59:00 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Yes, the DNS authoritize for public domain

--
Regards,
Joe


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:o iEW%23fyfEHA.2468@TK2MSFTNGP12.phx.gbl...
> In news:%23zPJoNxfEHA.3700@TK2MSFTNGP12.phx.gbl,
> Joe <joebio91@hotmail.com> wrote their comments
> Then Kevin replied below:
> > "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US>
> > wrote in message
> > news:eljIukmfEHA.904@TK2MSFTNGP09.phx.gbl...
> >> In news:ecjjU8kfEHA.3964@TK2MSFTNGP12.phx.gbl,
> >> Joe <joebio91@hotmail.com> wrote their comments
> >> Then Kevin replied below:
> >>> I have pri & sec DNS w/o AD & not DC just the standalone
> >>> servers.
> >>>
> >>> 1. In their NICs, for pri & alternate DNS setting...do I
> >>> have to use:
> >>>
> >>> pri: Primary DNS IP
> >>> alternate: Secondary DNS IP
> >>> for PRI & SEC DNS servers?
> >>
> >> It makes no difference if Dynamic DNS is not being used.
> >
> > My point is do I have to put just
> > pri: Primary DNS IP
> > alternate: Secondary DNS IP
> > OR
> > pri: Primary DNS IP
> > alternate: blank
> > OR
> > it doesn't matter
>
> It does not matter as long as the DNS server is for the local network.
>
> >
> > As per #2
> > So the IP address I put it in should be private IP or
> > public IP of that DNS servers itself? both of pri &
> > alternate need to fill in?
>
> Use the Private IP in the NIC
>
>
> > 4. For other servers in our servers farm which hosting
> > the websites for the domains that have zone files in
> > these pri & sec DNS, the DNS client setting need to use
> > ISP DNS not our pri & sec DNS then, is it correct?
> > Or that's ok if we use public IP of these DNS ??
>
> I think you are confusing the issue, the issue is are your DNS servers for
> use as Authoritative zones for public domains?
> All the machines in your "farm" must use a local DNS server in their NICs
> that have zones publishing private records so the machines can "talk" to
> each other. These machines will not be able to communicate with each other
> or access the sites on them using DNS data that is intended for public
use.
> IOW, they cannot communicate using the public IP addresses, the machines
> themselves can only use local addresses.
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ================================================
> --
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ================================================
> http://www.lonestaramerica.com/
> ================================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ================================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ================================================
>
>
Anonymous
August 11, 2004 1:54:26 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uNoOuF6fEHA.2928@TK2MSFTNGP10.phx.gbl,
Joe <joebio91@hotmail.com> wrote their comments
Then Kevin replied below:
> Zone public for public user

Thank you for clarifying that, You should not use the public DNS servers in
the NIC of any machine on the local network. The zone on the public servers
are fine if your outside on the internet, but they are useless for the
machines on the local network, that can't use the data in them because the
IP addresses are public IP addresses unless you actually have the public
addresses on the machines.
You need at least one DNS server for these machines to use for DNS that _no_
public users has access to. That DNS server must publish IP addresses the
machines can use to communicate with.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Anonymous
August 12, 2004 2:49:44 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:o TwE8J6fEHA.3632@TK2MSFTNGP11.phx.gbl,
Joe <joebio91@hotmail.com> made a post then I commented below
> Yes, the DNS authoritize for public domain
>

Are you saying you are using your internal DNS for hosting public data?

Ace
August 12, 2004 1:14:31 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

No, the pri DNS servers are using for hosting public domain, but because
originally this server has dual NIC (the other one to 'bridge'/connect to
other network, because orig this server has VPN install even now).
The sec DNS servers are using for hosting public domain also, but because
originally this server has dual NIC (the other one to 'bridge'/connect to
other network, because this server has used also for backup all the servers
in different network even now).
Probably not too good design but no choice because no server available,
except the VPN server move to Backup server(sec DNS, dual NIC), so the pri
DNS will have single NIC.

Joe


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23YhPocBgEHA.1652@TK2MSFTNGP09.phx.gbl...
> In news:o TwE8J6fEHA.3632@TK2MSFTNGP11.phx.gbl,
> Joe <joebio91@hotmail.com> made a post then I commented below
> > Yes, the DNS authoritize for public domain
> >
>
> Are you saying you are using your internal DNS for hosting public data?
>
> Ace
>
>
Anonymous
August 12, 2004 11:20:46 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:o $1nS3GgEHA.2524@TK2MSFTNGP09.phx.gbl,
Joe <joebio91@hotmail.com> made a post then I commented below
> No, the pri DNS servers are using for hosting public domain, but
> because originally this server has dual NIC (the other one to
> 'bridge'/connect to other network, because orig this server has VPN
> install even now).
> The sec DNS servers are using for hosting public domain also, but
> because originally this server has dual NIC (the other one to
> 'bridge'/connect to other network, because this server has used also
> for backup all the servers in different network even now).
> Probably not too good design but no choice because no server
> available, except the VPN server move to Backup server(sec DNS, dual
> NIC), so the pri DNS will have single NIC.
>
> Joe
>
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> message news:%23YhPocBgEHA.1652@TK2MSFTNGP09.phx.gbl...
>> In news:o TwE8J6fEHA.3632@TK2MSFTNGP11.phx.gbl,
>> Joe <joebio91@hotmail.com> made a post then I commented below
>>> Yes, the DNS authoritize for public domain
>>>
>>
>> Are you saying you are using your internal DNS for hosting public
>> data?
>>
>> Ace

I see. Well, sometimes its easier to have a clean and streamlined design.
When going against the grain, especailly on a DC/DNS server, it complicates
it and makes it a bit difficult to tech support it. Usually recommend to use
a plain old member server for this. I can understand if there is politics
involved, even though politics has no room in a technical environment.

Cheers!
:-)

Ace
!