Opinion/Ideas Request: Does this design seem best?

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 9 04:17:18 UTC 2004 

George wrote:

>I have put a small 160k bmp file at
>http://www.geocities.com/geelsu/DNSidea.bmp
>for this thread.
>
>I understand DNS some, but have not really ever set
>it up, especially with a Dual card system and
>with two different domains.
>
>Having the picture open in another window will 
>help now.
>
>The Email Sever with Win/Exchange 2003 will be
>in both domains.  It will have
>two NICs as you can see in the picture.  I have
>also cut on 2003's Routing and Remote Access using
>the custom configuration and selected Routing only.
>So no NAT or Firewall stuff at this time.
>
>I was thinking the Email Server/Win2003 system would
>work for DNS for both the inside and outside domains.
>Inside systems will have it as their default DNS
>Server.  Inside systems will also have 144.32.3.44
>as their default router.  Then 144.32.3.44 will have
>as its default router 8.50.1.44, and this will have
>its default router as 8.50.1.254.  THe TCP/IP properties
>gives me a warning about multiple Default gateways on
>disjoint networks, but I am not sure if this setup
>qualifies as disjoint.  An inside PC client that uses
>144.32.3.44 as its default router is able to bring up
>webpages from "the Cloud"
>
>8.50.1.44 will be know as EServer-Nic1.the.outside.net
>and 144.32.3.44 will be know as EServer-Nic2.the.inside.net.
>I am to sure how to setup all this.
>
>I also have DNS on a Unix server in the inside.  Windows 2000
>use to have DNS setup for a secondary text base domain that
>would work in Active Directory, but I am not sure which
>selection this is in the new 2003.  DNS setup is worded 
>differently now, with other selections.
>
>144.32.3.50 is another Win 2003 system that now has
>user accounts, files, etc on it.  I did not know
>if I should put it as the default DNS server for inside
>systems.
>
>Systems in "the cloud" can ping my 8.50.1.44 or outside
>NIC card.
>
>For security, there will be a PIX box between the router
>and the outside NIC in the future.
>
>Anyway, does this setup seem sound in design?
>Any ideas or opinions would be greatly appreciated.
>
This is mostly *not* a DNS question. You indicated that you're using two 
different domains for the inside versus the outside. Okay, so only allow 
internal clients to see the internal domain. That should be pretty 
straightforward, even with MS-DNS (this is a BIND group, by the way). 
Things get somewhat hairy if you want to use the *same* domain on the 
inside and the outside, yet "hide" some of the internal entries from the 
Internet. But you've simplified things greatly by choosing different 
domains.

As to your more general question, although I'm not a network architect, 
I question your choice to effectively turn your email gateway into a 
router. What does that buy you? You want every packet between your 
internal boxes and the Internet to go through your email gateway? If 
your (real) router has multiple interfaces, or you have VLAN capability, 
I think it would be preferable to put the "external" resources on its 
own router interface or VLAN, and keep it as separate as possible from 
the "internal" resources...

Perhaps you should ask this same question on a more general TCP/IP 
group, e.g. comp.protocols.tcp-ip.

                                                                         
                                                   - Kevin

More information about the bind-users mailing list