Archived from groups: microsoft.public.win2000.dns (
More info?)
"Bartly" <Bartly@discussions.microsoft.com> wrote in message
news
040500E-8023-4C45-93C6-E6685040B854@microsoft.com...
> Thanks Herb for clearing that up. I wil keep a third server as it seems
> beneficial especially for the caching.
Certainly, you are welcome.
Do note however that with only 100 nodes the caching
MAY be of neglible benefit (or useful), but the security
is likely the biggest benefit IF you have otherwise
protected your DCs/DNS servers.
The benefit of the ISP caching (especially for a large
ISP, e.g., Roadrunner, SBC) can be more dramatic,
and the proximity (Internet side of your WAN) of the
ISP to the body of Internet DNS servers is almost
always a benefit (reduces bandwidth usage AND
improves performance of resolution even when not
in cache at the ISP.)
--
Herb Martin
"Bartly" <Bartly@discussions.microsoft.com> wrote in message
news
040500E-8023-4C45-93C6-E6685040B854@microsoft.com...
> Thanks Herb for clearing that up. I wil keep a third server as it seems
> beneficial especially for the caching.
>
> "Herb Martin" wrote:
>
> > "Bartly" <Bartly@discussions.microsoft.com> wrote in message
> > news:290CEA33-4BFF-4BD3-BA9A-C6D21355C3DF@microsoft.com...
> > > 100 node, 8 server domain with 2 win2003 DC's. The DNS on each DC
points
> > to a
> > > third DNS server that forwards to our ISP DNS for external resolution.
> > Works
> > > great.
> >
> > Very normal, especially if that 3rd-Forwarder DNS is
> > on your Firewall or close to it.
> >
> > > Question: The third DNS server is going away. Before I install another
DNS
> > > server to replace it, I wonder if I really need this setup?
> >
> > I prefer it. You CAN allow the DCs to visit the ISP -- that
> > isn't usually to large a security risk, but it is slightly safer
> > to keep the DCs INSIDE your network, and it also simplifies
> > your firewall administration. (You don't have to make
> > exceptions for the DCs).
> >
> > It also consolidates your DNS cache (any client from either
> > internal DNS server will benefit from the consolidated cache
> > and it might work a BIT faster.)
> >
> > > Can I just set
> > > the DNS on each DC to forward to the external DNS? Or use one as the
> > > forwarder?
> >
> > Yes.
> >
> > > Or use root hints?
> >
> > I am opposed to this but it is not a major crime.
> >
> > You are basically telling your DCs it is ok to visit
> > the ENTIRE INTERNET, including those wonderful
> > places like ns1.ReallyEvilCrackers.com.
> >
> > It also bypasses the (hopefully) much more populated
> > cache of the ISP DNS, and requires all the actual
> > queries to traverse your WAN separately rather than
> > sending one request to the ISP and letting it deal with
> > the requests, and the security issues.
> >
> > IF you eliminate the 3rd DNS then you should also
> > implement "do not use recursion" (ONLY on the
> > fowarders tab.)
> >
> > You do recognize that the 3rd DNS server does NOT
> > need to have any zone, and probably should NOT have
> > any. It should be a caching only DNS server and NO
> > client should point to it in the NIC-IP settings (probably
> > it should not even point to itself if it is a domain machine.)
> >
> > All INTERNAL DNS clients must point solely at the
> > fully populated INTERNAL DNS servers.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thanks!
> >
> >
> >