Saturday, 8 September 2007

DNS Namespace Design (MCP Series)

When designing your DNS name space you don't want your internal DNS communicating with your external DNS. You also don't want external users to access resources, but internal staff should be able to access both internal and external resources. There are three options for internal and external DNS:
  1. Same DNS name internally and externally
    Do not allow zone transfers between the server. The external server will be company.com and so will the internal server. Both servers assume they are authoritative over the domain. This method is good for users because the internal system is called company.com and the external system is also called company.com. There is some administrative overhead with this method as you have to manually copy the resource records from the external server to the internal server, but your external records won't change that often so it shouldn't be that big of a problem.

  2. Different DNS internally and externally
    For example company.local internally and company.com externally. Users might not like this setup as the internal name will be quite different from the external name. This is a safe and easy to setup option.

  3. Internal DNS as a sub domain of your external DNS
    For example company.com externally and internal.company.com. This system is beneficial as the external server need not be Windows 2003 Server. Setup zone delegation on the external server and block DNS forwarding traffic at the firewall so external users cannot access internal resources.
Having used option 2 for some time, I think I will attempt option 3 in the next few months. I will report back with the results.

No comments:

Post a Comment