Enterprise DNS Architecture with Technitium DNS, MikroTik, IIS, and Mail Server

Overview

This design is intended for a medium-sized enterprise environment with:

• 500+ users
• MikroTik Router
• Multiple Public IP addresses
• Technitium DNS Server
• IIS Web Hosting
• Mail Server
• DNS Filtering and Caching
• Future Active Directory Integration
• Public DNS Hosting (Authoritative DNS)

This architecture separates public authoritative DNS services from internal recursive DNS services, providing better security, performance, scalability, and manageability.

---

            Network Architecture Diagram

                              INTERNET
                                  |
                   --------------------------------
                   |                              |
            Public IP-1                    Public IP-2
            203.x.x.1                      203.x.x.2
                   |                              |
                   +------------ MikroTik --------+
                                |
          ------------------------------------------------
          |                    |                        |
          |                    |                        |
     NS1 DNS              NS2 DNS                NS3 DNS
  172.16.200.10        172.16.200.11        172.16.200.12
  Authoritative        Secondary DNS        Recursive DNS
  DNSSEC Signing       AXFR / IXFR          Cache DNS
                                            Filtering DNS
                                            DNSSEC Validation

          |
          |
   --------------------------
   |                        |
Mail Server            IIS Server
172.16.200.20          172.16.200.30

---

Server Roles

NS1 – Primary Authoritative DNS

Server IP:

172.16.200.10

Responsibilities:

• Primary DNS Zone Hosting
• Public DNS Queries
• DNSSEC Signing
• Zone Management
• SPF Records
• DKIM Records
• DMARC Records
• MX Records
• A Records

Recursion: Disabled

Public Access: 203.x.x.1 -> Port Forwarding NAT -> 172.16.200.10

---

NS2 – Secondary Authoritative DNS

Server IP:

172.16.200.11

Responsibilities:

• Secondary DNS Hosting
• Zone Replication
• AXFR Transfers
• IXFR Transfers
• DNS Redundancy

Recursion: Disabled

Public Access: 203.x.x.2 -> Port Forwarding NAT -> 172.16.200.11

---

NS3 – Internal Recursive DNS

Server IP:

172.16.200.12

Responsibilities:

• Recursive DNS Resolution
• DNS Cache
• Website Filtering
• Ad Blocking
• Malware Domain Blocking
• DNSSEC Validation

Public Access: None

Recursion: Enabled

---

Public DNS Query Flow

When an external user requests DNS information:

Internet User
      |
ns1.company.com
      |
203.x.x.1
      |
MikroTik NAT
      |
172.16.200.10
      |
Technitium NS1

The user never sees the private IP address.

---

Internal User DNS Flow

User PC
    |
DNS = MikroTik
    |
172.16.200.1
    |
172.16.200.12
    |
Internet

The user communicates only with MikroTik.

MikroTik forwards DNS requests to NS3.

---

User DNS Configuration

Recommended:

Gateway: 172.16.200.1
DNS:     172.16.200.1

Do NOT configure:

8.8.8.8
1.1.1.1

on user computers.

This prevents DNS filtering bypass.

---

MikroTik DNS Configuration

/ip dns
allow-remote-requests=yes
servers=172.16.200.12

Purpose:

• DNS Forwarder
• DNS Proxy
• Centralized DNS Control

---

Why Use MikroTik as DNS for Clients?

Benefits:

• Centralized Management
• Easy DNS Migration
• Easy Failover
• No Client Reconfiguration
• Future Active Directory Compatibility

If the DNS server changes, only MikroTik needs modification.

No changes are required on user devices.

---

DNS Security

DNSSEC Signing

Implemented on:

NS1

Purpose:

• Digitally sign DNS zones
• Protect against DNS spoofing

---

DNSSEC Validation

Implemented on:

NS3

Purpose:

• Validate DNSSEC signatures from external domains
• Protect users from DNS poisoning attacks

---

Zone Replication

AXFR

Full Zone Transfer

Example:

NS2 downloads the entire zone from NS1.

Used during:

• Initial synchronization
• Complete resynchronization

---

IXFR

Incremental Zone Transfer

Example:

Only changed records are transferred.

Benefits:

• Reduced bandwidth usage
• Faster synchronization

---

Glue Records

If hosting your own nameservers:

Example:

ns1.company.com
ns2.company.com

You must create Glue Records at the domain registrar.

Example:

ns1.company.com -> 203.x.x.1
ns2.company.com -> 203.x.x.2

Without Glue Records, recursive DNS resolution cannot locate your nameservers.

---

NAT Configuration

MikroTik Port Forwarding:

203.x.x.1:53
      ↓
172.16.200.10:53

203.x.x.2:53
      ↓
172.16.200.11:53

Allow:

UDP 53
TCP 53

Only.

---

Mail Server DNS Records

A Record

mail.company.com   A   203.x.x.3

MX Record

company.com   MX   10 mail.company.com

SPF Record

company.com TXT "v=spf1 mx ip4:203.x.x.3 -all"

DKIM Record

Published as TXT record generated by the mail server.

DMARC Record

_dmarc.company.com TXT "v=DMARC1; p=quarantine"

---

PTR Record

PTR records cannot normally be created by the DNS administrator.

They must be requested from the ISP.

Example:

203.x.x.3
PTR
mail.company.com

---

Disaster Recovery

Normal Operation:

MikroTik
    |
NS3

Emergency Operation:

/ip dns
servers=8.8.8.8,1.1.1.1

If NS3 becomes unavailable, internet browsing continues without changing any client settings.

---

Recommended Resources

NS1

2 vCPU
4 GB RAM
50 GB SSD

NS2

2 vCPU
4 GB RAM
50 GB SSD

NS3

4 vCPU
8 GB RAM
100 GB SSD

Operating System:

Ubuntu Server 24.04 LTS

DNS Software:

Technitium DNS Server

---

Final Enterprise Design Summary

NS1

Authoritative DNS
DNSSEC Signing
Recursion Disabled

NS2

Secondary DNS
AXFR / IXFR
Recursion Disabled

NS3

Recursive DNS
DNS Cache
DNS Filtering
DNSSEC Validation

Clients

DNS = MikroTik Only

MikroTik

DNS Forwarder
Centralized DNS Control

This design provides a secure, scalable, enterprise-grade DNS infrastructure suitable for the next 4–5 years and supports web hosting, mail hosting, DNS filtering, DNSSEC, Active Directory integration, and centralized network management.