Best practices for public DNS server

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Is there a "best practices" or some type of configuration guide to setting up
w2k to be a public DNS server?

I get internal DNS servers. What I'm looking for is what to look out for,
or do differently with a DNS server that is exposed to the general internet
from a configuration standpoint.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news1B92CDD-F146-48A2-8ABC-FA565CA313BE@microsoft.com,
Daved <Daved@discussions.microsoft.com> commented
Then Kevin replied below:
> Is there a "best practices" or some type of configuration
> guide to setting up w2k to be a public DNS server?
>
> I get internal DNS servers. What I'm looking for is what
> to look out for, or do differently with a DNS server that
> is exposed to the general internet from a configuration
> standpoint.

If the DNS is strictly for Authoritative use and does not require for it to
resolve other names on the internet, disable recursion (Advanced
tab)(recommended)

UDP & TCP 53 open and forwarded to the DNS server's address.

Its zones must publish only publicly resolvable names for it NS and SOA
records and of course, its host and CNAME records. MX records must point to
"A" host records(no CNAMES)

All its records must publish only Public IP addresses.

There may be more, but this is the high points.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Daved" <Daved@discussions.microsoft.com> wrote in message
news1B92CDD-F146-48A2-8ABC-FA565CA313BE@microsoft.com...
> Is there a "best practices" or some type of configuration guide to setting
up
> w2k to be a public DNS server?

The following SHOULD be a best practice for all but
the largest companies (in terms of Internet presence):

Leave your External DNS at the Registrar.

> I get internal DNS servers. What I'm looking for is what to look out for,
> or do differently with a DNS server that is exposed to the general
internet
> from a configuration standpoint.

Avoid all this by using someone like GoDaddy.com or Register.com

They have 24-7 staffs to maintain their fault tolerant
servers near the backbone and you already pay for
the DNS service when you register the name so it is
essentially free.

Run your own internal DNS, but let the registrar handle
your public zone DNS servers.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Herb Martin" wrote:

> "Daved" <Daved@discussions.microsoft.com> wrote in message
> news1B92CDD-F146-48A2-8ABC-FA565CA313BE@microsoft.com...
> > Is there a "best practices" or some type of configuration guide to setting
> up
> > w2k to be a public DNS server?
>
> The following SHOULD be a best practice for all but
> the largest companies (in terms of Internet presence):
>
> Leave your External DNS at the Registrar.
>
> > I get internal DNS servers. What I'm looking for is what to look out for,
> > or do differently with a DNS server that is exposed to the general
> internet
> > from a configuration standpoint.
>
> Avoid all this by using someone like GoDaddy.com or Register.com
>
> They have 24-7 staffs to maintain their fault tolerant
> servers near the backbone and you already pay for
> the DNS service when you register the name so it is
> essentially free.
>
> Run your own internal DNS, but let the registrar handle
> your public zone DNS servers.
>
>
>

I'll agree to a point, but this isn't for my companies main web site, it's
for a test domain, and it's a hassle to keep calling the ISP to make changes,
so I'm going to take control of it myself.

It's odd that MS wouldn't have something on the site. I can find plenty of
guides and articals for setting up internal DNS, but nothing on specifically
on public DNS.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

> > Avoid all this by using someone like GoDaddy.com or Register.com
> >
> > They have 24-7 staffs to maintain their fault tolerant
> > servers near the backbone and you already pay for
> > the DNS service when you register the name so it is
> > essentially free.
> >
> > Run your own internal DNS, but let the registrar handle
> > your public zone DNS servers.
> >
> I'll agree to a point, but this isn't for my companies main web site, it's
> for a test domain, and it's a hassle to keep calling the ISP to make
changes,
> so I'm going to take control of it myself.

I NEVER indicated "ISP" but said specifically the Registrar.

And without going into detail I meant those Registrars which
provide a web interface where you can make the changes yourself.

Most (many) ISPs do not provide such services and you are
much more likely to switch ISPs than to need to switch
Registrars.

Put it at the Registrar. Not your Server nor the ISP.

> It's odd that MS wouldn't have something on the site. I can find plenty
of
> guides and articals for setting up internal DNS, but nothing on
specifically
> on public DNS.

It's not really an MS specific issue -- nor does it really affect
the domains etc.

Only the largest (in terms of Internet presence) companies
should even attempt their own DNS for external zones.

E.g., Microsoft (themselves), Amazon, LandsEnd and such.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Herb is right -- leaving this with the registrar is the best idea and I
can't think of any of them that do not allow you to change your records over
the web. Get this away from your ISP.

If you do decide to run your own...
1. Remember you MUST have two DNS servers which are usually dedicated to the
task
2. Tighten your Firewall/ Routing rules to allow only DNS to these boxes
3. Do not run a web server or FTP server on these as the DOS risk is very
high.
4. Consider running BIND <gasp> on LINUX/ BSD <gasp>
5. If you have any doubts or feel that you don't have a full handle on the
risks you're exposing your organization to, don't do it. The pain of calling
your ISP is nothing compared to a DOS attack on your DNS servers or domain
redirect.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Daved" <Daved@discussions.microsoft.com> wrote in message
news:7FD85D5E-5CB5-4775-8407-70A1E0A80EFF@microsoft.com...
>
>
> "Herb Martin" wrote:
>
>> "Daved" <Daved@discussions.microsoft.com> wrote in message
>> news1B92CDD-F146-48A2-8ABC-FA565CA313BE@microsoft.com...
>> > Is there a "best practices" or some type of configuration guide to
>> > setting
>> up
>> > w2k to be a public DNS server?
>>
>> The following SHOULD be a best practice for all but
>> the largest companies (in terms of Internet presence):
>>
>> Leave your External DNS at the Registrar.
>>
>> > I get internal DNS servers. What I'm looking for is what to look out
>> > for,
>> > or do differently with a DNS server that is exposed to the general
>> internet
>> > from a configuration standpoint.
>>
>> Avoid all this by using someone like GoDaddy.com or Register.com
>>
>> They have 24-7 staffs to maintain their fault tolerant
>> servers near the backbone and you already pay for
>> the DNS service when you register the name so it is
>> essentially free.
>>
>> Run your own internal DNS, but let the registrar handle
>> your public zone DNS servers.
>>
>>
>>
>
> I'll agree to a point, but this isn't for my companies main web site, it's
> for a test domain, and it's a hassle to keep calling the ISP to make
> changes,
> so I'm going to take control of it myself.
>
> It's odd that MS wouldn't have something on the site. I can find plenty
> of
> guides and articals for setting up internal DNS, but nothing on
> specifically
> on public DNS.

 

[Thomas]

Archived from groups: microsoft.public.win2000.dns (More info?)

If this is a Test site... will you actually have these on a DMZ with public
access?

If so, initially KISS- keep it very simple... use a primary w/ masters and
restric others from pulling zones and updates.

Your firewall can protect you from most of your DOS of other services if you
can set your QoS and connections per host.

Then use http://www.dnsreport.com to querey your public DNS servers. They
do a good job of detailing any issues and explaining what changes you need to
make.

"Ryan Hanisco" wrote:

> Herb is right -- leaving this with the registrar is the best idea and I
> can't think of any of them that do not allow you to change your records over
> the web. Get this away from your ISP.
>
> If you do decide to run your own...
> 1. Remember you MUST have two DNS servers which are usually dedicated to the
> task
> 2. Tighten your Firewall/ Routing rules to allow only DNS to these boxes
> 3. Do not run a web server or FTP server on these as the DOS risk is very
> high.
> 4. Consider running BIND <gasp> on LINUX/ BSD <gasp>
> 5. If you have any doubts or feel that you don't have a full handle on the
> risks you're exposing your organization to, don't do it. The pain of calling
> your ISP is nothing compared to a DOS attack on your DNS servers or domain
> redirect.
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> FlagShip Integration Services
> Chicago, IL
>
> "Daved" <Daved@discussions.microsoft.com> wrote in message
> news:7FD85D5E-5CB5-4775-8407-70A1E0A80EFF@microsoft.com...
> >
> >
> > "Herb Martin" wrote:
> >
> >> "Daved" <Daved@discussions.microsoft.com> wrote in message
> >> news1B92CDD-F146-48A2-8ABC-FA565CA313BE@microsoft.com...
> >> > Is there a "best practices" or some type of configuration guide to
> >> > setting
> >> up
> >> > w2k to be a public DNS server?
> >>
> >> The following SHOULD be a best practice for all but
> >> the largest companies (in terms of Internet presence):
> >>
> >> Leave your External DNS at the Registrar.
> >>
> >> > I get internal DNS servers. What I'm looking for is what to look out
> >> > for,
> >> > or do differently with a DNS server that is exposed to the general
> >> internet
> >> > from a configuration standpoint.
> >>
> >> Avoid all this by using someone like GoDaddy.com or Register.com
> >>
> >> They have 24-7 staffs to maintain their fault tolerant
> >> servers near the backbone and you already pay for
> >> the DNS service when you register the name so it is
> >> essentially free.
> >>
> >> Run your own internal DNS, but let the registrar handle
> >> your public zone DNS servers.
> >>
> >>
> >>
> >
> > I'll agree to a point, but this isn't for my companies main web site, it's
> > for a test domain, and it's a hassle to keep calling the ISP to make
> > changes,
> > so I'm going to take control of it myself.
> >
> > It's odd that MS wouldn't have something on the site. I can find plenty
> > of
> > guides and articals for setting up internal DNS, but nothing on
> > specifically
> > on public DNS.
>
>
>