I've been reading a bit tonight on how to best set up our school network for Internet connectivity. It works as it is, but there are hiccups in client/server access to the Internet from time to time. (note: the Sonicwall always sees the Internet)
My set up as is:
Internet—Sonicwall—Managed Switch—Win 2k8 r2 Server
|
Clients & Printers
The Sonicwall
- LAN zone with an IP in our IP range
- WAN zone with static ISP assigned IP and DNS set to Google DNS and ISP's DNS as backup
The Windows Server (just an internal file server)
- Active Directory
- DNS (set to 127.0.0.1)
- DHCP dynamically for a small guest range (phones),
- DHCP statically for devices and student & teacher clients (for filtering purposes)
The Clients
- Gateway set to Sonicwall IP
- DNS set to Server IP (on some Win8 systems I've had to set an alternate DNS to 8.8.8.8 for Internet connectivity.
So, to questions:
From what I read tonight it seems I should have:
- The Sonicwall WAN looking inward to the Server IP for DNS
- The Server set to have forwarding to look outward to Google/ISP DNS
- The clients DNS set to Server IP and Gateway to Sonicwall IP
Can anyone verify this? I am confused. If the Sonicwall looks to the Server for Internet DNS wont my clients A) bog the Server down and B) have no Internet when the Server is off?
If this isn't best practice, then what is? Am I already doing it right? Should the client DNS look to the Server AND the ISP?
Thanks!
Chris
Best Answer
Since the server is running Active Directory/DNS, the clients MUST have their DNS set to the server for proper domain resolution/connectivity to internal resources.
The key is to have the server's DNS service configured to forward all non-local queries to an external resolver (like Google [8.8.8.8; 8.8.4.4]). DNS traffic is so small that it shouldn't have any discernible effect on your server unless you have the cache set too low.
The server's network stack should be configured to look to 127.0.0.1 (or its local address) for DNS resolution, and the service configured with forwarders.
Insofar as the Sonicwall relates, you can set it either way. If you would like the Sonicwall to be able to resolve both internal and external FQDNs, then it will need to use your local server for resolution. If you only require external, then set it to your ISPs resolvers, or Google's.