dns suffix
in [Microsoft Exchange]
|
Prev: Sync Issues After Exchange 2010 Upgrade - Anyone Know a Solution?
Next: Altered meeting always becomes recurring
From: Rich Matheisen [MVP] on 16 Jun 2010 22:50 On Tue, 15 Jun 2010 23:40:11 -0700 (PDT), big <d.digrego(a)gmail.com> wrote: >excuse me again. >Try to imagine. >AD with DNS integrate domain (corp.company.com) Okay. You can still add as many DNS zones as you like to it. I don't see that as a problem. >Internal clinet query this DNS for internal resource where DNS is >authoritative, while for other requests, dns query my ISP. >E-mail address example: john(a)company.com Sure, but the machines in your DMZ are YOUR machines, not the ISP's. If you, for whatever reason, lost contact with the ISP's DNS, how would you find the IP addresses for the machine's in your DMZ? >A day, my CIO, ask me to add exchange 2007. >I installed it with all the role in LAN except EDGE that I'm going to >install in DMZ. >DMZ is ready about routing but there aren't any other services. I don't understand that last sentence. Are you saying you have no other machines in the DMZ except your edge server? >My question is: witch is the correct dns suffix for edge? Your company does business using the "company.com" domain. Use that. But that's not going to be ideal since you must use your ISP's DNS to resolve the name. That's why you want a "company.com" DNS zone on your internal DNS. >after this reply, I could menage how DNS resolve name, and how many >dns I need. You need one DNS. You should have more than one DNS zone in that DNS. >I looking for a best practise for this scenario. Well, then back up a bit and start with DNS and how you resolve names. >In the next future I could install a DNS server in DMZ as a forwarder >for DNS in LAN. Why? If your ISP's DNS is what external entities use to resolve names you expose to the Internet there's no need for a DNS in the DMZ. Your internal DNS should already be configured to use forwarders (or root-hints) so why put a DNS in your DMZ that would have to allow recursive queries? That's not good at all. --- Rich Matheisen MCSE+I, Exchange MVP
From: big on 17 Jun 2010 10:18 On 17 Giu, 04:50, "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote: > On Tue, 15 Jun 2010 23:40:11 -0700 (PDT), big <d.digr...(a)gmail.com> > wrote: > > >excuse me again. > >Try to imagine. > >AD with DNS integrate domain (corp.company.com) > > Okay. You can still add as many DNS zones as you like to it. I don't > see that as a problem. > > >Internal clinet query this DNS for internal resource where DNS is > >authoritative, while for other requests, dns query my ISP. > >E-mail address example: j...(a)company.com > > Sure, but the machines in your DMZ are YOUR machines, not the ISP's. > If you, for whatever reason, lost contact with the ISP's DNS, how > would you find the IP addresses for the machine's in your DMZ? > > >A day, my CIO, ask me to add exchange 2007. > >I installed it with all the role in LAN except EDGE that I'm going to > >install in DMZ. > >DMZ is ready about routing but there aren't any other services. > > I don't understand that last sentence. Are you saying you have no > other machines in the DMZ except your edge server? Yes I said that, but it was just an example, indeed I have some web server, www.company.com ww1.company.com ww2.company.com etc.those are resolved by my maintainer > >My question is: witch is the correct dns suffix for edge? > > Your company does business using the "company.com" domain. Use that. > But that's not going to be ideal since you must use your ISP's DNS to > resolve the name. That's why you want a "company.com" DNS zone on your > internal DNS. OK, this should be the solution, last questions, could I add to DNS domain corp.company.com a zone company.com? (parents domain) I tried many month ago, but I wasn't able. I don't remember the error, sorry. > >after this reply, I could menage how DNS resolve name, and how many > >dns I need. > > You need one DNS. You should have more than one DNS zone in that DNS. > > >I looking for a best practise for this scenario. > > Well, then back up a bit and start with DNS and how you resolve names. > > >In the next future I could install a DNS server in DMZ as a forwarder > >for DNS in LAN. > > Why? If your ISP's DNS is what external entities use to resolve names > you expose to the Internet there's no need for a DNS in the DMZ. Your > internal DNS should already be configured to use forwarders (or > root-hints) so why put a DNS in your DMZ that would have to allow > recursive queries? That's not good at all. > --- Yes, my internal DNS is configured to use forwarder, so I don't need to use dns in DMZ, but, I thought that if DNS in LAN, query in dmz and then the DNS in DMZ query in internet is more secure then direct access. (but I don't know, it is just an idea) > Rich Matheisen > MCSE+I, Exchange MVP
From: Rich Matheisen [MVP] on 17 Jun 2010 20:35 On Thu, 17 Jun 2010 07:18:35 -0700 (PDT), big <d.digrego(a)gmail.com> wrote: [ snip ] >> Your company does business using the "company.com" domain. Use that. >> But that's not going to be ideal since you must use your ISP's DNS to >> resolve the name. That's why you want a "company.com" DNS zone on your >> internal DNS. > >OK, this should be the solution, >last questions, could I add to DNS domain corp.company.com a zone >company.com? (parents domain) You should be able to. [ snip ] >> >In the next future I could install a DNS server in DMZ as a forwarder >> >for DNS in LAN. >> >> Why? If your ISP's DNS is what external entities use to resolve names >> you expose to the Internet there's no need for a DNS in the DMZ. Your >> internal DNS should already be configured to use forwarders (or >> root-hints) so why put a DNS in your DMZ that would have to allow >> recursive queries? That's not good at all. >> --- > >Yes, my internal DNS is configured to use forwarder, so I don't need >to use dns in DMZ, but, I thought that if DNS in LAN, query in dmz >and then the DNS in DMZ query in internet is more secure then direct >access. (but I don't know, it is just an idea) Allowing DNS queries from your DMZ to your LAN should be okay. --- Rich Matheisen MCSE+I, Exchange MVP
From: big on 18 Jun 2010 02:32
Thank you very much for your time. I'm going to do. |