11-28-2017 12:34 AM
Let's say that we have Four Grid Members:
1. Two DNS Grid Member acting as recursive lookup servers
2. Another two DNS Grid Members acting as a Primary and Secondary ADNS servers for an Active Directory Integrated Zone.
In this scenario, do I need to set the Domain Controller's preferred and alternative DNS servers (In The Network TCP/IP properties). Do I need to set them to the IP addresses of the recursive lookup servers or the ADNS servers for the zone?
My thought is the recursive lookup servers. However, thought I would ask.
Solved! Go to Solution.
11-28-2017 01:07 AM - edited 11-28-2017 01:10 AM
Are your recursive members aware of the Authoritative Members? If so, you can point it to the recursive members.
It is just important that the DCs and all AD client PCs will be able to resolve the AD Domain Name and all relevant A & SRV records. However, due to the caching I would not recommmend this setup, as changes to the AD configuration might take a long time to be updated in DNS.
A typical setup would be like:
All workstations and servers would point to the authoritative servers. Those servers on the other hand would actually do a forwarding to the recursive members in the DMZ, which would do the internet resolutions on behalf.
11-28-2017 04:09 AM
What if I lower the TTL. Most of these zones are internal zones. i.e. not Internet facing.
11-28-2017 04:18 AM - edited 11-28-2017 04:19 AM
> What if I lower the TTL.
Yes you could do that. However, I still would recommend to point it to the authoritative servers.
> Most of these zones are internal zones. i.e. not Internet facing.
Missunderstanding! I'm talking about a different architecture.
Some customers do the following: Instead of placing the caching members in front of the authoritative members, they add them to the DMZ and let them do the internet resolution. All the internal authoritative members are forwarding to the caching members in the DMZ.
11-28-2017 04:26 AM
In my case the Recursive lookup servers in the DMZ themselves are forwarding the queries to another pair of servers hosted by the ISP. That's why I am thinking that in this case I will do the forwarding to the ISP DNS servers on the Authoratative DNS servers directly, which will eliminate the need for the recursive DNS servers in the DMZ all together.
I am starting to think that it might be even better to allow the recursive servers in the DMZ to do recursive lookups themselves rather than forwarding queries to the ISP's DNS servers.
11-28-2017 04:32 AM
> I am starting to think that it might be even better to allow the recursive servers in the DMZ to do recursive lookups
> themselves rather than forwarding queries to the ISP's DNS servers.
You might want to consider DNS Firewall (RPZ + Reputation Feed) + DNS Analytics, as you have transparent internet DNS resolution for you clients.
11-28-2017 04:38 AM
Ok. So you can not apply DNS firewall rules if you forward the query to the ISP recursive servers? I thought you could do that.