Hosting External DNS zones for your organization on Internal DNS Servers requires careful planning that includes – – Geographical distribution of DNS load – TTL (Time-to-Live values) – NS records – Update Secondary Servers – Refuse DNS attacks – Support multiple DNS “named” zones Below is the architecture diagram: 1. Create Primary DNS Server (Server A) that contains writable copy of DNS zone 2. Create Secondary DNS Servers (Server B,C & D) in multiple geographies that contain “read-only” copy of DNS records 3. Expose Secondary DNS Server to Internet 4. Disable the following on Secondary Servers:
- Conditional forwarders
- Root Hints
5. Configure the following on Primary Servers
- Name Server records
- Zone Transfers (Add all secondary servers)
- Zone update notification servers (Add all secondary servers)
This design ensures that DNS servers that are exposed to Internet only respond to DNS requests that they are authoritative for and will ignore other queries (this was accomplished by disabling Forwarders, root hints and recursion). Since the exposed servers contain read-only data, no external attack will be able to modify the DNS records. Few tips –
- Do not expose Primary (writable copy) server to Internet for DNS resolution queries.
- Do not combine Active Directory DNS servers with external DNS servers (use separate servers for external zones)
- Do not save the DNS zones to Active Directory i.e. do not create AD integrated DNZ zones
- Play with the TTL value to optimize load on your DNS queries i.e higher the TTL value lesser will be the DNS queries on your Secondary servers, lesser TTL value will fetch more DNS queries and would require more bandwidth / may impact server performance.
Hope this information was useful.