External and Internal DNS

[BaDaBooM]

I'm dealing with a particularly stubborn network admin that has both the internal DNS and external DNS in the DHCP Settings for the clients. His stance is that if the internal ones don't work then they can at least get to the internet if they have the external ones also.

I've found some things on technet that explain how clients can cache negative results and also how clients avoid unresponsive DNS servers. However I've been looking for more proof/reasons why you don't want to do this (he doesn't value Microsoft much). This seems such an obvious thing not do do but I'm having trouble finding specific information as to why you don't do it this way. I've found lots of whitepapers and documentation but not with the details specific to this situation. Any help is greatly appreciated.

 

[EatSpam]

I just point DNS to my internal servers. My internal server contains both my internal and external zones. I then have BIND set up on the firewall boxen to slave the outside zones. This way, I can use a nice simple Windows interface for my DNS management and BIND just replicates it for outside use.

Do you only have one internal DNS server? Two would be preferable.

 

[Moonark]

Maybe this would help... On my work network I have 2 internal DNS servers each one is configured to point to my ISPs DNS servers as forwarders. My DHCP clients are set up to only point to the internal. If one cannot find the information locally, then the request is forwarded to the external DNS servers. In 4 years I have never had an issue using it this way. If you host your own servers, like I do... I have entries on the external DNS servers for the resource's external IP, then internally I use my private IPs.

 

[spidey07]

Originally posted by: BaDaBooM
I'm dealing with a particularly stubborn network admin that has both the internal DNS and external DNS in the DHCP Settings for the clients. His stance is that if the internal ones don't work then they can at least get to the internet if they have the external ones also.

I've found some things on technet that explain how clients can cache negative results and also how clients avoid unresponsive DNS servers. However I've been looking for more proof/reasons why you don't want to do this (he doesn't value Microsoft much). This seems such an obvious thing not do do but I'm having trouble finding specific information as to why you don't do it this way. I've found lots of whitepapers and documentation but not with the details specific to this situation. Any help is greatly appreciated.

Sorry. He is correct.

Read up on how a DNS resolver works.

Client asks for IP address of host to the first DNS server listed. If that server returns negative answer then no more queries - done.
If client does not receive answer from 1st listed server then it tries second DNS server with the same query.

Meaning - if your internal DNS server is not answering queries the client will try its next name servers. Of course your internal DNS server should be a caching name server but that's beyond scope.