Machines with 2 or more IP addresses

05/09/2006, 20h11

Hello Everyone,

I'm working on machines that will be setup on 2 different subnets, a public
subnet and an internal subnet.

The internal subnet will be accessed by our agency employees, the external,
by employees from other agencies.

We are setup as an OU in a large AD setup. DNS is across the board. In
other words, we can resolve other devices with in AD from other agencies.
However, each agency has its own firewall setup to protect resources.

My issue is, if I setup the DNS entry in question to have both addresses,
how do I guarantee that internal employees only go to the internal address,
and external only hit the external address?

Thank you in advance.

Andy

05/09/2006, 21h24

Andy W wrote:
> Hello Everyone,
>
> I'm working on machines that will be setup on 2 different subnets, a
> public subnet and an internal subnet.
>
> The internal subnet will be accessed by our agency employees, the
> external, by employees from other agencies.
>
> We are setup as an OU in a large AD setup. DNS is across the board.
> In other words, we can resolve other devices with in AD from other
> agencies. However, each agency has its own firewall setup to protect
> resources.
>
> My issue is, if I setup the DNS entry in question to have both
> addresses, how do I guarantee that internal employees only go to the
> internal address, and external only hit the external address?

At this time the only way to do this is to use "split" or "shadow" DNS, that
is, one set of DNS servers service public clients, and one set of DNS
servers for internal clients. You can't host public and internal DNS zones
on the same server, there's no real guarantee which record is going to get
published first by DNS. DNS will publish both records with no way of forcing
a particular client to use a certain record.
This may possibly show up in the next version of Windows server, it is a
subject I brought up with a recent discussion with Microsoft. As of this
time, it is not supported or is it available from MS DNS. BIND supports
this, but BIND is nowhere secure enough for dynamic updates with the DNS
client service.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

05/09/2006, 20h11	#1
Andy W Messages: n/a Hébergeur:	Machines with 2 or more IP addresses Hello Everyone, I'm working on machines that will be setup on 2 different subnets, a public subnet and an internal subnet. The internal subnet will be accessed by our agency employees, the external, by employees from other agencies. We are setup as an OU in a large AD setup. DNS is across the board. In other words, we can resolve other devices with in AD from other agencies. However, each agency has its own firewall setup to protect resources. My issue is, if I setup the DNS entry in question to have both addresses, how do I guarantee that internal employees only go to the internal address, and external only hit the external address? Thank you in advance. Andy

05/09/2006, 21h24	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Machines with 2 or more IP addresses Andy W wrote: > Hello Everyone, > > I'm working on machines that will be setup on 2 different subnets, a > public subnet and an internal subnet. > > The internal subnet will be accessed by our agency employees, the > external, by employees from other agencies. > > We are setup as an OU in a large AD setup. DNS is across the board. > In other words, we can resolve other devices with in AD from other > agencies. However, each agency has its own firewall setup to protect > resources. > > My issue is, if I setup the DNS entry in question to have both > addresses, how do I guarantee that internal employees only go to the > internal address, and external only hit the external address? At this time the only way to do this is to use "split" or "shadow" DNS, that is, one set of DNS servers service public clients, and one set of DNS servers for internal clients. You can't host public and internal DNS zones on the same server, there's no real guarantee which record is going to get published first by DNS. DNS will publish both records with no way of forcing a particular client to use a certain record. This may possibly show up in the next version of Windows server, it is a subject I brought up with a recent discussion with Microsoft. As of this time, it is not supported or is it available from MS DNS. BIND supports this, but BIND is nowhere secure enough for dynamic updates with the DNS client service. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email