Small Business DNS Server?

arty · 1 Nov 2010 at 14:27

I work for a small development company (around 10 employees, on and off) and as we grow I believe that we will need an internal DNS server just to save on having to remember 100s of IP addresses

Unfortunately, none of us are experienced with DNS so I was wondering if someone on here could give me a few pointers

We have a fairly standard internal LAN in the office which is connected via IPsec to a remotely-hosted VPN. We host some non-critical development servers in the office and our important servers remotely. As many of our developers work remotely much of the time, employees are provided with VPN logins for both our office network and the hosted VPN. We have a mix of Windows, Mac and Linux clients and servers. Our company website is hosted remotely and has a .com domain name (call it abc123.com for the sake of this post

).

Currently the majority of our servers are accessible by IP address only, but for our sanity we really need to introduce DNS names. For example, we'd like:

svn.abc123.com
sql1.abc123.com
int1.abc123.com

...and so on. These would be internal to our office network only, though also accessible by VPN if possible. However, currently the abc123.com domain and a number of subdomains are hosted externally by our website hosting company.

Is it possible to split the DNS in this way such that some names are 'publically' available on the internet and others are strictly internal? What about overriding some public names (e.g. testsite.abc123.com) when in the office in order to resolve to the local server IP rather than our router's external IP? :confused:

Sorry if I am asking stupid questions; I'm pretty comfortable setting up and maintaining Windows / Linux servers, networks etc. but DNS is just one of those topics I'm struggling to get my head around

Any tips or thoughts are very much welcome! Thanks

arty

branddaly · 1 Nov 2010 at 16:23

My thought is that I know how I'd do this, but I'm not sure if it will be the best solution for you, other people may have other recommendations.

I'd run my own Name Servers, probably using BIND. BIND allows the concept of 'views' so that the response to a domain query can be answered differently dependant on the source. This allows you to separate public and internal.

arty · 1 Nov 2010 at 16:33

Thanks for the response. With a bit of playing about today I have a semi-workable solution using a private internal DNS server which handles the whole of the abc123.com domain as a primary zone, delegating to the public nameserver(s) for the external sites. This means that the public nameservers have no knowledge of our internal network whatever which seems like a good thing.

Currently using Windows Server 2008 for this but I'll probably switch over to BIND once I'm confident that this set-up is the right way to go / won't cause any problems with VPN dial-ins etc. Fingers crossed

arty

branddaly · 1 Nov 2010 at 16:47

Glad you have a workable solution. If you have it working on Windows Server I can't really see a reason you'd switch it to BIND. The only reason I'd do it is a complete lack of knowledge of Windows Server and AD.

dave-lew99 · 1 Nov 2010 at 20:06

I would use a specific domain for internal eg.

host.company.local to completely segregate your namespaces (this discussion comes up from time to time on here and opinion is split as to the best approach)

Leave your public dns to your hosts, adding the odd public test server as you need it.

You may want to investigate SBS server. Where does your DNS come from at the moment?

arty · 2 Nov 2010 at 14:09

branddaly said:
Glad you have a workable solution. If you have it working on Windows Server I can't really see a reason you'd switch it to BIND. The only reason I'd do it is a complete lack of knowledge of Windows Server and AD.

We are fairly confident with Windows Server, including AD, though I doubt we'll make full use of a domain given that we have plenty of non-Windows clients.

dave-lew99 said:
I would use a specific domain for internal eg.

host.company.local to completely segregate your namespaces (this discussion comes up from time to time on here and opinion is split as to the best approach)

Leave your public dns to your hosts, adding the odd public test server as you need it.

You may want to investigate SBS server. Where does your DNS come from at the moment?

We have a very simple business ADSL line so our router simply now uses the prototype Win2k8 server I set up, which itself is using our ISP's DNS servers as per usual to handle non abc123.com requests.

The use of a separate internal name is a good idea and one which I've considered, so I'll put it to my boss and get his opinion. I was intending to leave public DNS entirely to our hosts as we don't really have enough public-facing systems to warrant managing it ourselves.

I managed to connect via our VPN last night and manually configured my DNS server to be the local address of the Win2k8 machine, which worked. However, this meant that ALL DNS requests were going through that machine, rather than just those for the abc123.com domain. This meant that browsing etc. on my home machine was very slow due to the extra latency of going through this dodgy DNS server under my office desk

Other than that problem it seems to be working quite well at the moment.

arty

branddaly · 2 Nov 2010 at 15:59

As you are running 2008 server another option that may work for you is LLMNR;
http://technet.microsoft.com/en-us/library/bb878128.aspx

http://blogs.technet.com/b/networki...rom-link-local-multicast-name-resolution.aspx

this could simiply things considerably, as you would not have to maintain an Internal DNS server either. I'm not 100% sure, but I suspect it will work over the VPN, and resolve the DNS issue you have there aswell.

dave-lew99 · 2 Nov 2010 at 17:21

You will want to configure your VPN appliance to push down specific DNS server for certain domains eg a server to deal with *.abc123.com

Cisco call this split-DNS which you can use alongside the split-tunneling.