06-01-2018 05:11 PM
06-14-2018 05:42 AM
What are you attempting to accomplish? What do you mean by "connecting" them together? Are you referring simply to having both internal and external DNS under a single management system or are you talking about something related to forwarding or zone transfers or something different?
06-15-2018 05:24 PM
1-Deployment infx appliance on local network :-
Configure management ports with the management network IP addreses , configure HA & LAN 1 Ports with (data & syn ) local network IP addresses that will serve (DNS & DHCP ) to the networkuser's,
2- Deploying infx appliance on DMZ network :-
Configure LAN1 port with private (public) network that will be nated on the firewall,
Configure LAN2 port with the private network IP addresses that will serve ( DNS data & syn) from & to local DNS network ,
Configure management ports with the DMZ management network IP addresses ?
My question is there best practice design for deploying local INFX (DNS&DHCP) & external INFX (DNS) on DMZ network.
06-18-2018 06:06 AM
You mention "infx" multiple times...I assume that refers to Infoblox, right? Just trying to make sure you aren't meaning something different.
So you have internal HA appliances that will service internal DNS queries and be recursive for outbound requests, correct? You also have single appliances that where you are choosing to use one port (LAN1) for outside-in DNS requests (those coming FROM the Internet into your organization) and the other port (LAN2) for inside-out or inside-in requests (proxy DNS cache layer or for internal clients looking for internal hosts). Is that also correct?
If both of the above are true, then your configuration matches the basic configuration well enough to be considered one of the best practices options. There are still specific settings in DNS to configure to ensure you don't expose an open recursor...specifically, you want to make sure the DNS view with your authoritative external zones has recursion disabled. You'll also need to make sure you properly configure your ACLs on the views as well and order them appropriately.
There are a number of other factors that will determine what is really a "best practice" for your deployment but these are generally the steps in the right direction.
06-20-2018 07:02 PM
ON External DNS ( INFX appliance)
I used LAN 1 FOR outside( public network 'internet') and LAN2 FOR INSIDE network ( just communicate with internal DNS & configured with private DMZ subnet)
ON INTERNAL DNS
I used Lan1 for inside network ( client dns & shop request ) , HA lan1 same subnet ,
Lan2 outside-inside DMZ( just communicate 'inside'external DNS )
Management ports ( grid ) can I configure all 4 appliances with two subnet ( one for internal network & one for dmz network 'in our network design DMZ has it's own management network' )?
I am on the stage one for the deployment that's I looking for the best practices design for the deployment internal and external DNS,
06-25-2018 08:42 AM
Unless you have some restriction, I wouldn't bother with the MGMT ports at all. Also, unless there's some special reason for putting LAN2 of the internal members into the DMZ, I would just leverage LAN1/HA. It sounds like you're attempting to use all of the ports but I didn't see any specific target problem that you're trying to solve.
I do get using LAN1 and LAN2 for the external auth members...although a good number of customers use just LAN1 and set up the ACLs accordingly. There's definitely nothing wrong with either approach...it really comes down to risk mitigation and determining how well you will rely on firewall and ACL configurations.
What specifically are you trying to accomplish with the use of the extra ports? Is there some mandate internally regarding separation of management and control traffic from user facing ports?
Do you have a dedicated GM and GMC in this design? If not, enabling the MGMT ports on the protocol serving units that also serve as GM/GMC will work but it will also create some interesting challenges.