This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 37%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
I have a client that has a security requirement that prevents ALL domain controllers from having ANY internet access. The PDCe FSMO syncs with an internal NTP server that, in turn, syncs with an external NTP server. M$ updates are retrieved from an internal WSUS server, etc., etc., etc.
So, the question I have is regarding the DCs need to resolve external DNS queries for client machines. Because the DCs cannot (directly) use root hints or (public) forwarders, I need to configure them to use a Windows DNS server on the DMZ (private IP address).
What is "best practice" in this scenario? Standalone server or domain member server? Are there any issues with configuring private IP addresses in the forwarders section on the DCs?
Any advice is greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
DNS queries are outbound, and you aren't really opening anything up for inbound, but you could have a domain controller in DMZ, then set up forwarders on the internal DCs to point to the DMZ server for internet queries.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Thank you for the reply,
That is exactly what I plan on doing with the exception that the DNS server in the DMZ (used only for external name resolution on behalf of the internal DCs) cannot be a DC itself. Security requirement from client.
So, my question is whether or not there is any advantage (or disadvantage) to the DNS server in the DMZ being a standalone (workgroup) server or a domain member server?
You could likely do either, or another maybe simpler option is to let the perimeter firewall device do the forwarding.
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
