Deciding Whether to Deploy an Internal DNS Root

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you have a large distributed network and a complex DNS namespace, it is best to use an internal DNS root that is isolated from public networks. Using an internal DNS root streamlines the administration of your DNS namespace by enabling you to administer your DNS infrastructure as if the entire namespace consists of the DNS data within your network.

If you use an internal DNS root, a private DNS root zone is hosted on a DNS server on your internal network. This private DNS root zone is not exposed to the Internet. Just as the DNS root zone contains delegations to all of the top-level domain names on the Internet, such as .com, .net, and .org, a private root zone contains delegations to all of the top-level domain names on your network. The DNS server that hosts the private root zone in your namespace is considered to be authoritative for all of the names in the internal DNS namespace.

Using an internal DNS root provides the following benefits:

  • Simplicity. If your network spans multiple locations, an internal DNS root might be the best method for administering DNS data in a network.

  • Secure name resolution. With an internal DNS root, DNS clients and servers on your network never contact the Internet to resolve internal names. In this way, the DNS data for your network is not broadcast over the Internet. You can enable name resolution for any name in another namespace by adding a delegation from your root zone. For example, if your computers need access to resources in a partner organization, you can add a delegation from your root zone to the top level of the DNS namespace of the partner organization.

Important

  • Do not reuse names that exist on the Internet in your internal namespace. If you repeat Internet DNS names on your intranet, it can result in name resolution errors.

If name resolution is required by computers that do not support software proxy, or by computers that support only LATs, then you cannot use an internal root for your DNS namespace. In this case, you must configure one or more internal DNS servers to forward queries that cannot be resolved locally to the Internet.

Table 3.4 lists the types of client proxy capabilities and whether you can use an internal DNS root for each type.

Table 3.4   Client Proxy Capabilities

Proxy Capability Microsoft Software with Corresponding Proxy Capabilities Forwards Queries Can You Use an Internal Root?

No Proxy

Generic Telnet

 Table Bullet

 

Local Address Table (LAT)

Winsock Proxy (WSP) 1.x and later

Microsoft® Internet Security and Acceleration (ISA) Server 2000 and later

 Table Bullet

 

Name Exclusion List

WSP 1.x and later

Internet Security and Acceleration (ISA) Server 2000 and later, and all versions of Microsoft® Internet Explorer

 Table Bullet Table Bullet

Proxy Auto-configuration (PAC) File

WSP 2.x, Internet Security and Acceleration Server (ISA) Server 2000 and later, Internet Explorer 3.01 and later

 Table Bullet Table Bullet