question

71ElCamino-5796 avatar image
0 Votes"
71ElCamino-5796 asked DSPatrick commented

Configure 2019 Domain Controllers To Use PRIVATE DNS Fowarders

I have a client that has a security requirement that prevents ALL domain controllers from having ANY internet access. The PDCe FSMO syncs with an internal NTP server that, in turn, syncs with an external NTP server. M$ updates are retrieved from an internal WSUS server, etc., etc., etc.

So, the question I have is regarding the DCs need to resolve external DNS queries for client machines. Because the DCs cannot (directly) use root hints or (public) forwarders, I need to configure them to use a Windows DNS server on the DMZ (private IP address).

What is "best practice" in this scenario? Standalone server or domain member server? Are there any issues with configuring private IP addresses in the forwarders section on the DCs?

Any advice is greatly appreciated.

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

DNS queries are outbound, and you aren't really opening anything up for inbound, but you could have a domain controller in DMZ, then set up forwarders on the internal DCs to point to the DMZ server for internet queries.

--please don't forget to upvote and Accept as answer if the reply is helpful--






· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

71ElCamino-5796 avatar image 71ElCamino-5796 ·

Thank you for the reply,

That is exactly what I plan on doing with the exception that the DNS server in the DMZ (used only for external name resolution on behalf of the internal DCs) cannot be a DC itself. Security requirement from client.

So, my question is whether or not there is any advantage (or disadvantage) to the DNS server in the DMZ being a standalone (workgroup) server or a domain member server?

0 Votes 0 ·
DSPatrick avatar image DSPatrick 71ElCamino-5796 ·

You could likely do either, or another maybe simpler option is to let the perimeter firewall device do the forwarding.


0 Votes 0 ·
DSPatrick avatar image DSPatrick DSPatrick ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·