0

I have a question. Many of our clients have only one DC. Is it better to use external DNS (ISP,or google) as the secondary DNS server for AD-joined machines or set up a conditional forwarder in the firewall and set the DNS server as the firewall's IP. In the later scenario, if the DC goes down, they can still access the internet.

user242114
  • 31
  • 6
  • usually alll have at least a second server, installing there a dns server isnt a problem. – djdomi Feb 15 '20 at 19:05
  • the clients aren't willing to get a second server. my question is whether it's better to put a forwarder in the firewall or put the external DNS in the clients' IPv4 settings. – user242114 Feb 15 '20 at 19:33

2 Answers2

0

I think either scenario is roughly equal. Both can be monitored and logged to the same degree by a given firewall. I think this comes down to personal preference. The slight difference in the two could be the memory load with the firewall acting as forwarder if the firewall is caching lookups.

The concern I have with public failover is the client can expose private domain characteristics to internet if doing SRV / DNS lookups for domain attributes. If you are concerned, a firewall can filter lookups for private domain characteristics.

Just to make sure it is clear, you are not asking if public DNS is a conflict with domain? The clients membership in the domain will not matter for DNS. Purely DHCP or manual config driven. Some environments do not use AD domain integrated DNS (for high volume). I have run environments with hybrid / mixed architectures.

Q: are clients small and only one DC total? Or, remote office with local DC? If the second, I use the home office DC as secondary DNS, with a local forwarder, and public source as tertiary.

Yaro
  • 66
  • 4
  • most clients have local DC/DNS. some have the DC at an external location that's connected via a site to site VPN – user242114 Feb 15 '20 at 22:46
  • Then it is a preference. You may find controls / inspection of outbound DNS easier with the firewall as a DNS service (single point) rather than every client as a potential source. It depends on the firewall. I always restricted outbound DNS to a whitelisted few well known servers. Your environment may vary. – Yaro Feb 15 '20 at 23:04
0

There's a bit of an issue with this. Secondary DNS servers should be equal to the Primary DNS server, in the sense that they return the same answers to the same records.

In AD, you usually have a domain used for you AD that's not publicly resolvable (contoso.local, not recommended however), or you might use a subdomain of your public domain that isn't replicated to your public DNS infrastructure (ad.contoso.com). If you set the secondary DNS server on your clients to 1.1.1.1 (Cloudflare's Public DNS, just an example), this public resolver won't know anything about your internal AD domain, and as such will completely break all AD functionality for your clients.

You might think that this isn't an issue since your AD is probably down anyway if your AD server isn't responding to DNS queries, but when you bring it online, Windows won't switch DNS server until the public resolver stops responding, or the client is restarted. So you fix might take quite a while to take effect, especially if you use a real domain (ad.contoso.com for example), as the public infrastructure will have responded with NXDOMAIN which will be cached locally.

The correct setup is to just run a secondary AD server, or face it that if AD is down, DNS is down. Running a secondary domain controller also has the additional benefit of replicating your whole AD to a backup DC, which is useful if your primary DC completely dies on you.

So to answer your question, here are the options in order of preference:

  1. Run a Secondary DC
  2. Define only the Primary DC as a DNS server, and let it handle external queries for your clients.
  3. Define the firewall as the secondary DNS, this way you don't have to go through all your clients if you want to change your external resolver (this is preferable if you're not using DHCP to push DNS settings).
  4. If you're using DHCP for DNS settings, you could also define the external resolver directly and lessen the strain on your firewall.
Stuggi
  • 3,506
  • 4
  • 19
  • 36