1

I've been reading a bit tonight on how to best set up our school network for Internet connectivity. It works as it is, but there are hiccups in client/server access to the Internet from time to time. (note: the Sonicwall always sees the Internet)

My set up as is:

Internet---Sonicwall---Managed Switch---Win 2k8 r2 Server | Clients & Printers

The Sonicwall

  • LAN zone with an IP in our IP range
  • WAN zone with static ISP assigned IP and DNS set to Google DNS and ISP's DNS as backup

The Windows Server (just an internal file server)

  • Active Directory
  • DNS (set to 127.0.0.1)
  • DHCP dynamically for a small guest range (phones),
  • DHCP statically for devices and student & teacher clients (for filtering purposes)

The Clients

  • Gateway set to Sonicwall IP
  • DNS set to Server IP (on some Win8 systems I've had to set an alternate DNS to 8.8.8.8 for Internet connectivity.

So, to questions:

From what I read tonight it seems I should have:

  • The Sonicwall WAN looking inward to the Server IP for DNS
  • The Server set to have forwarding to look outward to Google/ISP DNS
  • The clients DNS set to Server IP and Gateway to Sonicwall IP

Can anyone verify this? I am confused. If the Sonicwall looks to the Server for Internet DNS wont my clients A) bog the Server down and B) have no Internet when the Server is off?

If this isn't best practice, then what is? Am I already doing it right? Should the client DNS look to the Server AND the ISP?

Thanks! Chris

Christopher Moran
  • 39
  • 1
  • 1
  • 5
  • Side note, you shouldn't be using Google DNS as your upstream resolvers. Use root hints. – Wesley May 15 '15 at 18:06
  • Is your DNS server public facing? For example, do you allow users on the internet to make requests to your DNS server? Do you have a domain name managed from that DNS server that needs to be available to the public? – user2320464 May 24 '15 at 06:49
  • No on all accounts. The DNS server is for internal LAN only. Nothing is hosted for the public to see. – Christopher Moran May 25 '15 at 10:36

4 Answers4

4

Since the server is running Active Directory/DNS, the clients MUST have their DNS set to the server for proper domain resolution/connectivity to internal resources.

The key is to have the server's DNS service configured to forward all non-local queries to an external resolver (like Google [8.8.8.8; 8.8.4.4]). DNS traffic is so small that it shouldn't have any discernible effect on your server unless you have the cache set too low.

The server's network stack should be configured to look to 127.0.0.1 (or its local address) for DNS resolution, and the service configured with forwarders.

Insofar as the Sonicwall relates, you can set it either way. If you would like the Sonicwall to be able to resolve both internal and external FQDNs, then it will need to use your local server for resolution. If you only require external, then set it to your ISPs resolvers, or Google's.

JuxVP
  • 106
  • 4
1

As JuxVP has already stated, any domain-joined Windows clients must have their DNS set to the AD server, otherwise many services will fail, especially authentication. All other internal clients should have their DNS set to the AD server if you want them to resolve internal names.

Additionally, the domain-joined Windows clients must not have any other DNS servers listed that can't resolve AD queries b/c Windows doesn't guarantee the lookup order. Ex: if you have the following configuration on a client:

DNS1: 192.168.10.10 (AD server)
DNS2: 8.8.8.8 (Google DNS)

then you will likely have authentication problems, unusual hanging, or other communication problems. This is b/c the client may query Google's DNS for adserver.domain.local and Google's server will respond with does not exist instead of a timeout. The client will only try the other server if the first one doesn't respond. If the client receives a does not exist response, it will give up and the lookup will fail.

Jens Ehrich
  • 398
  • 2
  • 7
0
  • Sonicwall's DNS server should be configured for your ISP's DNS IP address.
  • Your server (i.e., domain DNS server) can be configured with forwarders to Google's DNS.
  • The endpoint's DNS should be configured for the domian's DNS server.
f1assistance
  • 101
  • 2
0

Since you work in the education sector, I recommend configuring your internal DNS server to forward all requests to OpenDNS. They offer special plans just for K-12 to adhere to CIPA compliance [0]. They also offer malware protection where requests for nefarious resources will be blocked.

With the above configured, set every host/device/etc. on your network to use your internal DNS server. Doing so will ensure your clients will successfully connect to each other internally and is especially important when running Microsoft Active Directory.

Next, configure all router ACLs and firewall rules to only allow outbound DNS queries from your internal DNS server to OpenDNS servers. The benefit of this is that some malware will attempt to perform DNS queries directly to public nameservers. This configuration ensures the request will go through your servers and ultimately OpenDNS where it will hopefully be caught. Any host found not utilizing the internal DNS server (firewall drop logs) should be investigated for misconfiguration or malware as this could be an indicator of compromise.

Finally, implement router ACLs and/or firewall rules to block access to your DNS server from the public internet.

[0] https://www.opendns.com/enterprise-security/solutions/k-12/

user2320464
  • 789
  • 5
  • 14