Internet vs. Intranet

[Kevin Darcy]

Tim wrote:

> Iam new to DNS. All my learnings have been theoritical from the M$ TCP/IP
> for NT and some hands on at home with my small networked lab.
>
> I am involved in resolving the DNS issues that our company is expericing due
> to the fact that I have more knowledge than anyone else about the basic
> workings of DNS. I  think this is called trial by fire.
>
> Our small LAN consists of one subnet with 30 some odd servers and less that
> one hundred user workstations. We are attempting to go for the ASP model for
> our company and provide an application via M$ Terminal Server with Citrix
> MetaFrame installed for local and remote access for our clients.
>
> We have our DNS hosted by our ISP. It consists of four zones and all four
> zones have MX records pointing to the same mail server on our LAN through
> our new Linux firewall hosted and monitored by our ISP. All four zones also
> point to our internal web servers (DMZ) where we host for the four companies
> (zones/departments) withing the same office space.
>
> I have purchased all three books on DNS from O'Reilly, however I have not
> had the time to get into the meat of it, (yet). My question is simple, would
> it be better to set up an internal root.dns server, (on the only server
> running dns), create the four zones, corresponding MX records and CNAME for
> the websites for internal resolution and then have it forward to the ISP for
> Internet resolution? Configure it as a forwarding server in slave mode  or
> secondary to the ISP? For a newbie like me its kind of confusing....the
> different ways to configure the DNS and which one will actually give the
> best possible performance.
>
> Any insight to my dilema will be gratefully appreciated. Should you require
> and relevant additional information, ask and I will make do. Thanks

In your situation, I'd probably set up at least one server (the "caching
server") to serve internal clients and at least one *separate* server (the
"hosting server"), with recursion turned off, to serve your zones to the
outside world. For performance and redundancy, I'd make the caching server a
slave to all of your zones. If you don't have at least 2 servers onsite to
provide hosting for all of your zones, then you'll have to get your ISP to be a
slave -- it might be a good idea to do that anyway, since more redundancy is a
better thing, and you'll spread out the query load as well. Similarly, if you
can't provide at least two caching servers to your clients, then you should
arrange for clients to fail over to your ISP for name resolution. In a pinch,
you could combine the caching and hosting functions within a single nameserver
instance -- in that case, be sure to use the "allow-recursion" mechanism to
deny recursion to external clients -- but it's generally recommended to make a
total separation between those two DNS functions.

As for setting up your caching servers to forward to your ISP, I'd first run
some tests to see if this buys you any performance benefit. Chances are it
won't.


- Kevin