Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Controlling access to DNS servers outside the organization

Controlling access to DNS servers outside the organization

Restricting access to zone information enables you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS servers within your organization can access servers outside of your organization. To do this, you need to set up DNS forwarding within the domain.

With DNS forwarding, you configure DNS servers within the domain as one of the following:

? Nonforwarders Servers that must pass DNS queries they can’t resolve to designated forwarding servers. These servers essentially act like DNS clients to their forwarding servers.

? Forwarding-only Servers that can only cache responses and pass requests to forwarders. These are also known as caching-only DNS servers.

? Forwarders Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use standard DNS communication methods to resolve queries and to send responses back to other DNS servers.

? Conditional forwarders Servers that forward requests based on the DNS domain. Conditional forwarding is useful if your organization has multiple internal domains.

NOTE You can’t configure the root server for a domain for forwarding (except for conditional forwarding used with internal name resolution). You can configure all other servers for forwarding.

Creating nonforwarding and forwarding-only servers

To create a nonforwarding or forwarding-only DNS server, follow these steps:

1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.

2. Tap or click the Advanced tab. To configure the server as a nonforwarder, ensure that the Disable Recursion check box is cleared, tap or click OK, and then skip the remaining steps. To configure the server as a forwarding-only server, be sure that the Disable Recursion check box is selected.

3. On the Forwarders tab, tap or click Edit. This displays the Edit Forwarders dialog box.

4. Tap or click in the IP Address list, type the IP address of a forwarder for the network, and then press Enter. Windows then attempts to validate the server. If an error occurs, make sure the server is connected to the network and that you’ve entered the correct IP address. Repeat this process to specify the IP addresses of other forwarders.

5. Set the Forward Queries Time Out interval. This value controls how long the nonforwarder tries to query the current forwarder if it gets no response. When the Forward Time Out interval passes, the nonforwarder tries the next forwarder on the list. The default is three seconds. Tap or click OK.

Creating forwarding servers

Any DNS server that isn’t designated as a nonforwarder or a forwarding-only server will act as a forwarder. Thus, on the network’s designated forwarders you should be sure that the Disable Recursion option is not selected and that you haven’t configured the server to forward requests to other DNS servers in the domain.

Configuring conditional forwarding

If you have multiple internal domains, you might want to consider configuring conditional forwarding, which enables you to direct requests for specific domains to specific DNS servers for resolution. Conditional forwarding is useful if your organization has multiple internal domains and you need to resolve requests between these domains.

To configure conditional forwarding, follow these steps:

1. In the DNS Manager console, select and then press and hold or right-click the Conditional Forwarders folder for the server with which you want to work. Tap or click New Conditional Forwarder on the shortcut menu.

2. In the New Conditional Forwarder dialog box, enter the name of a domain to which queries should be forwarded, such as adatum.com.

3. Tap or click in the IP Address list, type the IP address of an authoritative DNS server in the specified domain, and then press Enter. Repeat this process to specify additional IP addresses.

4. If you’re integrating DNS with Active Directory, select the Store This Conditional Forwarder In Active Directory check box, and then choose one of the following replication strategies:

? All DNS Servers In This Forest Choose this strategy if you want the widest replication strategy. Remember, the Active Directory forest includes all domain trees that share the directory data with the current domain.

? All DNS Servers In This Domain Choose this strategy if you want to replicate forwarder information within the current domain and child domains of the current domain.

? All Domain Controllers In This Domain Choose this strategy if you want to replicate forwarder information to all domain controllers within the current domain and child domains of the current domain. Although this strategy gives wider replication for forwarder information within the domain, not every domain controller is a DNS server as well (nor do you need to configure every domain controller as a DNS server).

5. Set the Forward Queries Time Out interval. This value controls how long the server tries to query the forwarder if it gets no response. When the Forward Time Out interval passes, the server tries the next authoritative server on the list. The default is five seconds. Tap or click OK.

6. Repeat this procedure to configure conditional forwarding for other domains.

Оглавление книги


Генерация: 1.197. Запросов К БД/Cache: 3 / 1
поделиться
Вверх Вниз