DHCP dynamically updating internal DNS servers instead of authoritative?

Hi there.

Say you have a domain: domain.com which is out there on the Internet
doing its thing, et cetera but you also use that domain internally for your
active directory (which is probably not ideal).

Domain.com is hosted on your cluster of authoritative nameservers and has
records related to your online presence such as MX records, A records for
your website and other public services, et cetera.

Lets say that you're running DHCP/DNS in your active directory and you would
like new registrations to only be added to the 'local' version of domain.com
and not the Internet version of domain.com, I realize that the DHCP server
(and perhaps windows in general) sends dynamic updates to the authoritative
nameservers, but I would rather not for reasons of security through
obscurity publish our internal DNS to the Internet. I realize the right way
to do this would've probably been to use a subdomain such as
internal.domain.com or corp.domain.com but this was all established 10 years
ago.

So the question is, is it possible to have the DHCP server send updates to
the local DNS servers rather than the actual authoritative DNS servers?

thanks,
Andy

Paul
Wed May 07 12:50:31 PDT 2008

Your internal dns server should be just that internal only. Your external
dns server should be just that external only.

Your internal dns servers should forward (Do not use recursion) to an
external dns server for lookups thereby avoiding exposing as few internal
addresses as possible.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andy" <aweaver@ee.net> wrote in message
news:%23x$6r1EsIHA.3680@TK2MSFTNGP05.phx.gbl...
> Hi there.
>
> Say you have a domain: domain.com which is out there on the Internet
> doing its thing, et cetera but you also use that domain internally for
> your active directory (which is probably not ideal).
>
> Domain.com is hosted on your cluster of authoritative nameservers and has
> records related to your online presence such as MX records, A records for
> your website and other public services, et cetera.
>
> Lets say that you're running DHCP/DNS in your active directory and you
> would like new registrations to only be added to the 'local' version of
> domain.com and not the Internet version of domain.com, I realize that the
> DHCP server (and perhaps windows in general) sends dynamic updates to the
> authoritative nameservers, but I would rather not for reasons of security
> through obscurity publish our internal DNS to the Internet. I realize the
> right way to do this would've probably been to use a subdomain such as
> internal.domain.com or corp.domain.com but this was all established 10
> years ago.
>
> So the question is, is it possible to have the DHCP server send updates to
> the local DNS servers rather than the actual authoritative DNS servers?
>
> thanks,
> Andy

Andy
Wed May 07 13:40:27 PDT 2008


"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:O2iRduHsIHA.4848@TK2MSFTNGP05.phx.gbl...
> Your internal dns server should be just that internal only. Your external
> dns server should be just that external only.
>
> Your internal dns servers should forward (Do not use recursion) to an
> external dns server for lookups thereby avoiding exposing as few internal
> addresses as possible.
>

Right, but the external (internet) zones don't have A records for my DHCP
hosts, et cetera and I would like my internal DNS to have those registered.

-Andy

Paul
Thu May 08 05:37:16 PDT 2008

The internal and external should be separate as long as they are you should
be able to run dynamic dns.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andy" <aweaver@ee.net> wrote in message
news:u$7UWKIsIHA.2292@TK2MSFTNGP03.phx.gbl...
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:O2iRduHsIHA.4848@TK2MSFTNGP05.phx.gbl...
>> Your internal dns server should be just that internal only. Your
>> external dns server should be just that external only.
>>
>> Your internal dns servers should forward (Do not use recursion) to an
>> external dns server for lookups thereby avoiding exposing as few internal
>> addresses as possible.
>>
>
> Right, but the external (internet) zones don't have A records for my DHCP
> hosts, et cetera and I would like my internal DNS to have those
> registered.
>
> -Andy

Andy
Thu May 08 19:52:22 PDT 2008

Right,

but DHCP is trying to send updates to my 'internet' nameservers and not my
active directory nameservers, thats my problem.

Sorry if I'm being unclear.

Andy
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23MX7AhQsIHA.672@TK2MSFTNGP02.phx.gbl...
> The internal and external should be separate as long as they are you
> should be able to run dynamic dns.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Andy" <aweaver@ee.net> wrote in message
> news:u$7UWKIsIHA.2292@TK2MSFTNGP03.phx.gbl...
>>
>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>> news:O2iRduHsIHA.4848@TK2MSFTNGP05.phx.gbl...
>>> Your internal dns server should be just that internal only. Your
>>> external dns server should be just that external only.
>>>
>>> Your internal dns servers should forward (Do not use recursion) to an
>>> external dns server for lookups thereby avoiding exposing as few
>>> internal addresses as possible.
>>>
>>
>> Right, but the external (internet) zones don't have A records for my DHCP
>> hosts, et cetera and I would like my internal DNS to have those
>> registered.
>>
>> -Andy
>
>

Paul
Fri May 09 05:49:18 PDT 2008

What is the dhcp servers ip client settings on its nic card? It should only
be pointing to the internal dns server.

Why don't you post your dhcp servers ipconfig /all settings

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Andy" <aweaver@ee.net> wrote in message
news:uN771%23XsIHA.4912@TK2MSFTNGP03.phx.gbl...
> Right,
>
> but DHCP is trying to send updates to my 'internet' nameservers and not my
> active directory nameservers, thats my problem.
>
> Sorry if I'm being unclear.
>
> Andy
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:%23MX7AhQsIHA.672@TK2MSFTNGP02.phx.gbl...
>> The internal and external should be separate as long as they are you
>> should be able to run dynamic dns.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Andy" <aweaver@ee.net> wrote in message
>> news:u$7UWKIsIHA.2292@TK2MSFTNGP03.phx.gbl...
>>>
>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>>> news:O2iRduHsIHA.4848@TK2MSFTNGP05.phx.gbl...
>>>> Your internal dns server should be just that internal only. Your
>>>> external dns server should be just that external only.
>>>>
>>>> Your internal dns servers should forward (Do not use recursion) to an
>>>> external dns server for lookups thereby avoiding exposing as few
>>>> internal addresses as possible.
>>>>
>>>
>>> Right, but the external (internet) zones don't have A records for my
>>> DHCP hosts, et cetera and I would like my internal DNS to have those
>>> registered.
>>>
>>> -Andy
>>
>>
>

Roger
Thu May 08 19:50:34 PDT 2008

You have two DNS zones by the same name (domain.com).
Each, the external and the internal, define their own SOA.
Any machine that uses one (directly or indirectly) will never
resolve names that are only in the other version of the zone.
Your internal machines use the internal version and so they
will know only the internal SOA as authoritative, and send
dynamic DNS updates there.

"Andy" <aweaver@ee.net> wrote in message
news:%23x$6r1EsIHA.3680@TK2MSFTNGP05.phx.gbl...
> Hi there.
>
> Say you have a domain: domain.com which is out there on the Internet
> doing its thing, et cetera but you also use that domain internally for
> your active directory (which is probably not ideal).
>
> Domain.com is hosted on your cluster of authoritative nameservers and has
> records related to your online presence such as MX records, A records for
> your website and other public services, et cetera.
>
> Lets say that you're running DHCP/DNS in your active directory and you
> would like new registrations to only be added to the 'local' version of
> domain.com and not the Internet version of domain.com, I realize that the
> DHCP server (and perhaps windows in general) sends dynamic updates to the
> authoritative nameservers, but I would rather not for reasons of security
> through obscurity publish our internal DNS to the Internet. I realize the
> right way to do this would've probably been to use a subdomain such as
> internal.domain.com or corp.domain.com but this was all established 10
> years ago.
>
> So the question is, is it possible to have the DHCP server send updates to
> the local DNS servers rather than the actual authoritative DNS servers?
>
> thanks,
> Andy