Public Namespace and Private Network

Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

I registered a domain called mycompany.com.

I have a number of internal customers that need to access my internal
website. Each customer has a circuit into our business for direct access.

I have set up a DNS server for mycompany.com and created a primary zone. I
have placed a few A records to point to various servers that we have.

Since most of our customers have Internet access already, they can use the
public namespace to resolve the DNS names to private IP addresses that they
can access through their internal network to us.

Testing would seem to indicate this works.

I will also have a secondary server on our internal network for customers
without Internet access to point to.

My question is this.... does anyone see anything wrong with the scenario?
I mean, my network and my customers networks are their responsibility. I
cannot expect them to install DNS servers, secondary zones, or anything of
the like on their side. I'm trying to make this a seamless transition for
them with respect to accessing our servers.

Yes, they could use HOSTS files, but that defeats the purpose as there are
hundreds of clients at each of our customers. Some customers may have their
own DNS that forwards to their ISP. Others may not have Internet access at
all which is why I wish to have an internal secondary that they can point
use to resolve resouces within my zone.

Are there any security issues that I need to be concerned with?

I realize someone could possibly see www.mycompany.com points to a server on
the 192.168.33.x network. But this should not be a problem as this is
non-routable through Internet.

Opinions?
3 answers Last reply
More about public namespace private network
  1. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    "dm4714" <spam@spam.net> wrote in message
    news:uyVRoC#EFHA.560@TK2MSFTNGP15.phx.gbl...
    > I registered a domain called mycompany.com.
    >
    > I have a number of internal customers that need to access my internal
    > website. Each customer has a circuit into our business for direct access.

    Didn't we just go through this a couple of days ago?

    > I have set up a DNS server for mycompany.com and created a primary zone.
    I
    > have placed a few A records to point to various servers that we have.
    >
    > Since most of our customers have Internet access already, they can use the
    > public namespace to resolve the DNS names to private IP addresses that
    they
    > can access through their internal network to us.

    Ok, so mycompany.com is publicly delegated from
    Com to a DNS server that every customer can reach?

    Ok, as long as their routing is correct this much works.

    > Testing would seem to indicate this works.

    Makes sense.

    > I will also have a secondary server on our internal network for customers
    > without Internet access to point to.

    Ok, that it is a seconcary is irrelevant to them (only
    meaningful to you.)

    (You probably should disable recursion on this
    DNS server -- if it doesn't have the answer you
    don't want it going to the Internet since they don't
    "do Internet". And this should be the FULL Disable
    Recursion in the Advanced tab which really means
    don't process recursive queries and therefore don't
    Recure and DON'T EVEN forward. This DNS server
    isn't going to work for your users that NEED
    Internet resolution now.)

    > My question is this.... does anyone see anything wrong with the scenario?

    So you will instruct them to use YOUR DNS server
    for their OWN CLIENTS and they will be unable to
    use their own DNS?

    Or if they have only one zone they will and their clients
    use their own DNS server, will you have them forward
    to you?

    Should work.

    What about clients who have multiple zone-trees, but no
    Internet access?

    They will have to include you into whatever scheme they
    currenty use to hook the trees together, either holding a
    secondary for your zone (you must allow this) or some
    substitute OR by delegating from their internal root
    down to your DNS server that they may use.


    > I mean, my network and my customers networks are their responsibility. I
    > cannot expect them to install DNS servers, secondary zones, or anything of
    > the like on their side. I'm trying to make this a seamless transition for
    > them with respect to accessing our servers.

    You are expecting that they will have IP and have no
    DNS servers of their own?

    That is an unlikely assumption on a network with routers,
    but possible.

    And they are going to have to change every one of their
    clients to use your DNS server (which shouldn't be a big
    deal if they have no DNS server.)

    > Yes, they could use HOSTS files, but that defeats the purpose as there are
    > hundreds of clients at each of our customers. Some customers may have
    their
    > own DNS that forwards to their ISP. Others may not have Internet access
    at
    > all which is why I wish to have an internal secondary that they can point
    > use to resolve resouces within my zone.
    >
    > Are there any security issues that I need to be concerned with?

    It's not really a security issue since presumably your
    network is already open to them for something more
    sensitive than your DNS names....

    > I realize someone could possibly see www.mycompany.com points to a server
    on
    > the 192.168.33.x network. But this should not be a problem as this is
    > non-routable through Internet.

    Correct. If I see this (from outside) and cannot route to it
    (I cannot from here) then I will at best waste my time
    trying.

    > Opinions?

    It's pretty goofy (seriously it has a flaky feel, to someone
    who has spent a long time consulting and designing solution)
    but it CAN work.

    If it meets your needs -- your biggest problem will likely
    be those people who say they have no Internet access and
    then next week put one into their system.

    Then they won't be able to figure out why their clients
    pointed at you no longer work -- OR they will point
    them to themselves and break access to you...or...

    Worst of all, they will put BOTH sets of DNS servers
    on the client and get RANDOM results that work one
    day for one client and not for another, and change the
    next day.


    --
    Herb Martin


    "dm4714" <spam@spam.net> wrote in message
    news:uyVRoC#EFHA.560@TK2MSFTNGP15.phx.gbl...
    > I registered a domain called mycompany.com.
    >
    > I have a number of internal customers that need to access my internal
    > website. Each customer has a circuit into our business for direct access.
    >
    > I have set up a DNS server for mycompany.com and created a primary zone.
    I
    > have placed a few A records to point to various servers that we have.
    >
    > Since most of our customers have Internet access already, they can use the
    > public namespace to resolve the DNS names to private IP addresses that
    they
    > can access through their internal network to us.
    >
    > Testing would seem to indicate this works.
    >
    > I will also have a secondary server on our internal network for customers
    > without Internet access to point to.
    >
    > My question is this.... does anyone see anything wrong with the scenario?
    > I mean, my network and my customers networks are their responsibility. I
    > cannot expect them to install DNS servers, secondary zones, or anything of
    > the like on their side. I'm trying to make this a seamless transition for
    > them with respect to accessing our servers.
    >
    > Yes, they could use HOSTS files, but that defeats the purpose as there are
    > hundreds of clients at each of our customers. Some customers may have
    their
    > own DNS that forwards to their ISP. Others may not have Internet access
    at
    > all which is why I wish to have an internal secondary that they can point
    > use to resolve resouces within my zone.
    >
    > Are there any security issues that I need to be concerned with?
    >
    > I realize someone could possibly see www.mycompany.com points to a server
    on
    > the 192.168.33.x network. But this should not be a problem as this is
    > non-routable through Internet.
    >
    > Opinions?
    >
    >
  2. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    Thanks for your response, Herb. See below

    On other comment - currently today, all my customers access my servers using
    IP address. Trying to implement DNS seems like it is going to be more
    demanding that just handing them a static IP and hoping you never try to
    consolidate or move servers around.

    My customers network is a closed environment - other than them having the
    ability to access servers on my network and possibly the Internet using
    their ISP.

    My network is a closed environment and we have the ability to access the
    Internet.

    I've learned a lot about DNS in the past week, but I'm almost regretting
    that I recommended that we use this for our internal name resolution between
    our customers. Me and my big mouth!

    I should have said... D-N-S what?


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:eks02w$EFHA.2052@TK2MSFTNGP09.phx.gbl...
    >
    > "dm4714" <spam@spam.net> wrote in message
    > news:uyVRoC#EFHA.560@TK2MSFTNGP15.phx.gbl...
    >> I registered a domain called mycompany.com.
    >>
    >> I have a number of internal customers that need to access my internal
    >> website. Each customer has a circuit into our business for direct
    >> access.
    >
    > Didn't we just go through this a couple of days ago?
    >
    >> I have set up a DNS server for mycompany.com and created a primary zone.
    > I
    >> have placed a few A records to point to various servers that we have.
    >>
    >> Since most of our customers have Internet access already, they can use
    >> the
    >> public namespace to resolve the DNS names to private IP addresses that
    > they
    >> can access through their internal network to us.
    >
    > Ok, so mycompany.com is publicly delegated from
    > Com to a DNS server that every customer can reach?

    Yes. Originally, my plan was to have a DNS server on the inside of the
    private network. The only problem with this was that some customers
    forwarded their Internet access to their ISP -- which would never be able to
    perform an iterative lookup to our private server after querying root, gTLD
    server. It would fail trying to connect to mycompany.com DNS server.


    >
    > Ok, as long as their routing is correct this much works.
    >
    >> Testing would seem to indicate this works.
    >
    > Makes sense.
    >
    >> I will also have a secondary server on our internal network for customers
    >> without Internet access to point to.
    >
    > Ok, that it is a seconcary is irrelevant to them (only
    > meaningful to you.)
    >
    > (You probably should disable recursion on this
    > DNS server -- if it doesn't have the answer you
    > don't want it going to the Internet since they don't
    > "do Internet". And this should be the FULL Disable
    > Recursion in the Advanced tab which really means
    > don't process recursive queries and therefore don't
    > Recure and DON'T EVEN forward. This DNS server
    > isn't going to work for your users that NEED
    > Internet resolution now.)

    Yes, on my internal DNS server, I have disabled recursion. This way, if
    they do not have Internet access and key in microsoft.com, my DNS server
    will not try and resolve the name for them. It will only look for names
    that are within my server's zone files.


    >
    >> My question is this.... does anyone see anything wrong with the scenario?
    >
    > So you will instruct them to use YOUR DNS server
    > for their OWN CLIENTS and they will be unable to
    > use their own DNS?

    They will not use my internal DNS server unless they do not have have
    dedicated internet access. If they do have a DNS without Internet access,
    then my plan is for them to add a forward lookup to my server.

    If their clients have to put DNS entires to my server, then they will only
    have DNS lookup for my zone. Otherwise, if they already have DNS entries
    for their internal server (without Internet access), they will have to add a
    forward lookup to my internal server.


    >
    > Or if they have only one zone they will and their clients
    > use their own DNS server, will you have them forward
    > to you?

    This is what I would like to do. Do multiple zones on their server matter?


    >
    > Should work.
    >
    > What about clients who have multiple zone-trees, but no
    > Internet access?
    >
    > They will have to include you into whatever scheme they
    > currenty use to hook the trees together, either holding a
    > secondary for your zone (you must allow this) or some
    > substitute OR by delegating from their internal root
    > down to your DNS server that they may use.

    You've lost me here. I suppose some of them could have an AD DNS
    configuration -- and it may cause me problems. I'm hoping they since my
    name is publically registered, that they can simply add a forward looking to
    my server (without recursion enable) or some sort of "conditional
    forwarding" for my domain.

    I really do not want to entertain the thought of my customers becoming
    secondaries to my zones. This would require more maintenance for all
    involved, in addition to publishing them a list of everything we have setup
    on our DNS.

    >
    >
    >> I mean, my network and my customers networks are their responsibility. I
    >> cannot expect them to install DNS servers, secondary zones, or anything
    >> of
    >> the like on their side. I'm trying to make this a seamless transition
    >> for
    >> them with respect to accessing our servers.
    >
    > You are expecting that they will have IP and have no
    > DNS servers of their own?

    I did not mention this, but all our customers have IP and they currently
    talk to our networking with it.


    >
    > That is an unlikely assumption on a network with routers,
    > but possible.
    >
    > And they are going to have to change every one of their
    > clients to use your DNS server (which shouldn't be a big
    > deal if they have no DNS server.)

    Agreed.


    >
    >> Yes, they could use HOSTS files, but that defeats the purpose as there
    >> are
    >> hundreds of clients at each of our customers. Some customers may have
    > their
    >> own DNS that forwards to their ISP. Others may not have Internet access
    > at
    >> all which is why I wish to have an internal secondary that they can point
    >> use to resolve resouces within my zone.
    >>
    >> Are there any security issues that I need to be concerned with?
    >
    > It's not really a security issue since presumably your
    > network is already open to them for something more
    > sensitive than your DNS names....
    >
    >> I realize someone could possibly see www.mycompany.com points to a server
    > on
    >> the 192.168.33.x network. But this should not be a problem as this is
    >> non-routable through Internet.
    >
    > Correct. If I see this (from outside) and cannot route to it
    > (I cannot from here) then I will at best waste my time
    > trying.
    >
    >> Opinions?
    >
    > It's pretty goofy (seriously it has a flaky feel, to someone
    > who has spent a long time consulting and designing solution)
    > but it CAN work.

    These sorts of things for me, in my experience, never seem easy because of
    the environment that I work in. Seems like some of the basic concepts in
    books are overly simplified and real-world solutions are never truly given.
    I mean, I wish I could just have to internet facing DNS servers and be done
    with it. But unfortunately, all my customers do not have the same network
    infrastructure and some are less sophisticated than others. Yes, some of
    our customers only use dial-up for Internet access.


    >
    > If it meets your needs -- your biggest problem will likely
    > be those people who say they have no Internet access and
    > then next week put one into their system.
    >
    > Then they won't be able to figure out why their clients
    > pointed at you no longer work -- OR they will point
    > them to themselves and break access to you...or...
    >
    > Worst of all, they will put BOTH sets of DNS servers
    > on the client and get RANDOM results that work one
    > day for one client and not for another, and change the
    > next day.

    I would agree. This is a risk and this will have to be communicated to all
    customers once DNS environment is implemented.

    >
    >
    > --
    > Herb Martin
    >
    >
    > "dm4714" <spam@spam.net> wrote in message
    > news:uyVRoC#EFHA.560@TK2MSFTNGP15.phx.gbl...
    >> I registered a domain called mycompany.com.
    >>
    >> I have a number of internal customers that need to access my internal
    >> website. Each customer has a circuit into our business for direct
    >> access.
    >>
    >> I have set up a DNS server for mycompany.com and created a primary zone.
    > I
    >> have placed a few A records to point to various servers that we have.
    >>
    >> Since most of our customers have Internet access already, they can use
    >> the
    >> public namespace to resolve the DNS names to private IP addresses that
    > they
    >> can access through their internal network to us.
    >>
    >> Testing would seem to indicate this works.
    >>
    >> I will also have a secondary server on our internal network for customers
    >> without Internet access to point to.
    >>
    >> My question is this.... does anyone see anything wrong with the scenario?
    >> I mean, my network and my customers networks are their responsibility. I
    >> cannot expect them to install DNS servers, secondary zones, or anything
    >> of
    >> the like on their side. I'm trying to make this a seamless transition
    >> for
    >> them with respect to accessing our servers.
    >>
    >> Yes, they could use HOSTS files, but that defeats the purpose as there
    >> are
    >> hundreds of clients at each of our customers. Some customers may have
    > their
    >> own DNS that forwards to their ISP. Others may not have Internet access
    > at
    >> all which is why I wish to have an internal secondary that they can point
    >> use to resolve resouces within my zone.
    >>
    >> Are there any security issues that I need to be concerned with?
    >>
    >> I realize someone could possibly see www.mycompany.com points to a server
    > on
    >> the 192.168.33.x network. But this should not be a problem as this is
    >> non-routable through Internet.
    >>
    >> Opinions?
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.dns,microsoft.public.windows.server.dns,microsoft.public.windowsnt.dns (More info?)

    > They will not use my internal DNS server unless they do not have have
    > dedicated internet access. If they do have a DNS without Internet access,
    > then my plan is for them to add a forward lookup to my server.

    Not everyone can use your as a forwarder even if they have
    no Internet access (this might not affect your but it is certainly
    possible) if they already use their forwarders internally OR
    if they have their own "." root zone for resolving multiple
    trees.

    You might ignore these cases but you should do so consciously,
    and not be shocked if it occurs.

    > This is what I would like to do. Do multiple zones on their server
    matter?

    NOT if they are all on (all of) their DNS servers or if
    they have some scheme where the "forwarder setting"
    is not already in use.

    NOR if they have Win2003 (or another DNS server) which
    offers conditional forwarding. (Were all of your customers
    to run Win2003 DNS you really wouldn't have a problem.

    But there is really nothing wrong with allowing them to define
    and hold secondaries for your zone (coming off the server they
    would use anyway.)

    > > They will have to include you into whatever scheme they
    > > currenty use to hook the trees together, either holding a
    > > secondary for your zone (you must allow this) or some
    > > substitute OR by delegating from their internal root
    > > down to your DNS server that they may use.
    >
    > You've lost me here. I suppose some of them could have an AD DNS
    > configuration -- and it may cause me problems.

    That's not the issue (and I covered it again above.)

    The issue is if they have NO AVAILABLE forwarder setting
    (because they use it for something else) OR if they have an
    internal ROOT "." zone.

    > I'm hoping they since my
    > name is publically registered, that they can simply add a forward looking
    to
    > my server (without recursion enable) or some sort of "conditional
    > forwarding" for my domain.

    Conditional forwarding doesn't exist in Win2000 and lower,
    nor necessarily in all versions of other DNS servers. It is a
    relatively new feature.

    > I really do not want to entertain the thought of my customers becoming
    > secondaries to my zones.

    Why?

    > This would require more maintenance for all
    > involved, in addition to publishing them a list of everything we have
    setup
    > on our DNS.

    No really. It is about as hard to set a forward, especially
    a conditional forwarder, as it is to set a secondary.

    This way if they switch to using the Internet, it doesn't
    immediately screw them up.

    And for those running Win2003 with a Stub zone capability
    that will be another option.

    > > You are expecting that they will have IP and have no
    > > DNS servers of their own?
    >
    > I did not mention this, but all our customers have IP and they currently
    > talk to our networking with it.

    But do you expect they (any of them) have IP but no DNS?

    > > That is an unlikely assumption on a network with routers,
    > > but possible.
    > >
    > > And they are going to have to change every one of their
    > > clients to use your DNS server (which shouldn't be a big
    > > deal if they have no DNS server.)
    >
    > Agreed.

    And the first time someone ADDS Internet access to one
    or a 100 clients they will probably screw it up by putting
    BOTH DNS (public AND you) in there. <grin>

    Not your fault, but be prepared to help.


    > >> Opinions?
    > >
    > > It's pretty goofy (seriously it has a flaky feel, to someone
    > > who has spent a long time consulting and designing solution)
    > > but it CAN work.
    >
    > These sorts of things for me, in my experience, never seem easy because of
    > the environment that I work in. Seems like some of the basic concepts in
    > books are overly simplified and real-world solutions are never truly
    given.

    This is NOT a common situation -- they only reason that
    I can comment on it accurately is that I know the 10-12
    simple rules of DNS and can just run the resolution in my
    head to see what will work and what won't.

    All of the concepts I am giving you are based on COMMON
    principles no matter how complicated the design.

    Analogy:
    26 letters in the English language -- 100,000 to a Million words, but
    an infite number of books are possible.

    > I mean, I wish I could just have to internet facing DNS servers and be
    done
    > with it. But unfortunately, all my customers do not have the same network
    > infrastructure and some are less sophisticated than others. Yes, some of
    > our customers only use dial-up for Internet access.

    Which is not the fault of DNS (or you) but it just part of
    the burden your company CHOSE to assume to have these
    customers (really.)

    > >
    > > If it meets your needs -- your biggest problem will likely
    > > be those people who say they have no Internet access and
    > > then next week put one into their system.
    > >
    > > Then they won't be able to figure out why their clients
    > > pointed at you no longer work -- OR they will point
    > > them to themselves and break access to you...or...
    > >
    > > Worst of all, they will put BOTH sets of DNS servers
    > > on the client and get RANDOM results that work one
    > > day for one client and not for another, and change the
    > > next day.
    >
    > I would agree. This is a risk and this will have to be communicated to
    all
    > customers once DNS environment is implemented.

    Mostly if I can prepare you for this you will recognize it
    in the first 20 minutes instead of days or weeks later.

    It won't help that much to "communicate it" (except as CYA)
    because those that will do this will do it anyway.

    You will have to CATCH it when they start complaining OR
    teach their Admins (as I am trying to help you) to do so.
Ask a new question

Read More

Private Network Microsoft DNS Windows