I have a Symantec Firewall/VPN 200R on my network connected to an ADSL modem, with a Win 2000 server and Win XP clients. The only way I can get the Firewall to allow connection to the Internet is to remove the "." (root) zone from the DNS service on the server and put in a zone that allows me to forward DNS requests to the firewall or point clients DNS straight at the firewall which then screws up Active Directory. Is there a way round this i.e to keep AD OK and still allow DNS requests to be forwarded to the firewall. I have a second Win 2000 server on the network for printers can I utilise this in some way.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Win 2000 Server\Firewall-VPN\DNS
- Thread starter PSLondon
- Start date
You want to use forwarders in DNS properties. Deleting the root zone does nothing to harm AD. As long as your internal DNS server is authorative for your domain in AD, then this works properly.
Setup should be clients use your server as DNS, your server has DNS and is authorative for your AD domain. Your server has a forwarder setting in DNS properties with a external DNS server (usually one or more from your ISP.) You must open the DNS ports in the firewall to permit this traffic. Check that you have set "secure cache" in DNS properties.
If you are worried about security, you can set the firewall to only allow incoming DNS traffic that has been requested (ACK bit required.) If you get really worried about security, set up another DNS server in the DMZ of your firewall, let this box connect to your ISP DNS, and have a 1 minute cache scavange (never keep DNS records.) Now your internal DNS server uses the DMZ DNS server as its forwarder and you set a long time limit (7 days or so) on the internal DNS server scavange to keep it from polling too often.
Alex
Setup should be clients use your server as DNS, your server has DNS and is authorative for your AD domain. Your server has a forwarder setting in DNS properties with a external DNS server (usually one or more from your ISP.) You must open the DNS ports in the firewall to permit this traffic. Check that you have set "secure cache" in DNS properties.
If you are worried about security, you can set the firewall to only allow incoming DNS traffic that has been requested (ACK bit required.) If you get really worried about security, set up another DNS server in the DMZ of your firewall, let this box connect to your ISP DNS, and have a 1 minute cache scavange (never keep DNS records.) Now your internal DNS server uses the DMZ DNS server as its forwarder and you set a long time limit (7 days or so) on the internal DNS server scavange to keep it from polling too often.
Alex
- Thread starter
- #3
If I delete the root zone DNS seems to pack up altogether, no matter what other forward or reverse zones I put in! Any suggestions on how to keep DNS running without a "." zone would be helpful. The DNS server is authoratative in the domain/AD
- Thread starter
- #5
- Status
Similar threads
- Locked
- Question