I'm currently configuring DNS for a new domain and I'm at a bit of a crossroads. DNS is already running on both of my Domain Controllers (DCs), but I don't really want the endpoints to communicate directly with them. My idea is to set up two new servers dedicated solely to DNS. These servers will be on different VLANs and will share their forward and reverse lookup zones. The plan is to have all endpoints retrieve their DNS information from these new servers, while only allowing those DNS servers to communicate with the DCs. Does this make sense? I'm trying to keep the traffic to the DCs to a minimum.
4 Answers
Think about what you want from Active Directory. If you're looking for a more streamlined solution, you might consider moving straight to Entra ID since it could fit your needs better.
Unless there’s a really strict compliance reason for this setup, I wouldn’t recommend it. Clients should be able to communicate with the DCs for DNS. Trying to keep them isolated might create more headaches down the line.
I’m curious why you want to limit communication with the DCs. Are you planning to block all connection access from the workstations?
If your endpoints are already joined to Active Directory, it doesn't really make sense to separate them from the DCs for DNS purposes. They inherently need to communicate with the DCs for various functionalities. If traffic is your main issue, consider upgrading your DCs instead of limiting communication.
I want to reduce traffic or access to the DCs since they’re on their own VLAN for security. They still need to connect for domain joining and all, but reducing exposure on port 53 would help with security.