dns configuration best practice question

I'm not sure what you mean?

In our setup (with multiple dns zones) we would put each zone in the request routing which points to our internal dns servers.

The UTM will then resolve anything for that domain eg mydomain_A.com without having to statically enter a host on the UTM itself eg hostA.mydomain_A.com

You simply manage DNS on your DNS server as you do now. You can put as many request routes for as many zones as you wish.

It's basically a way of allowing the UTM to dynamically resolve ip's

I am thinking the way dns is setup in the UTM will make a difference in the speed of everything on my LAN.

My network has 1 active directory that replicates between local domain and remote domain (MSITE)

Users use active directory for authentication to log onto local domain when they log onto their computers

Users will go to a website and use same active directory that is replicated to msite domain

Local Domain Site host 11 Subnets

Msite Domain Site host 3 subnets.

Firewall uses a internal router with mpls connection as the gateway if msite resources are access through the LAN

Users logon a citrix website and access msite resources via remote desktop connection hosted on the remote site.

Now we have 2 Citrix Server farms,

The legacy citrix server farm uses the mpls connection.

The new citrix farm uses the internet.

I am thinking the way dns is setup in the UTM will make a difference in the speed of everything on my LAN.

My network has 1 active directory that replicates between local domain and remote domain (MSITE)

Users use active directory for authentication to log onto local domain when they log onto their computers

Users will go to a website and use same active directory that is replicated to msite domain

Local Domain Site host 11 Subnets

Msite Domain Site host 3 subnets.

Firewall uses a internal router with mpls connection as the gateway if msite resources are access through the LAN

Users logon a citrix website and access msite resources via remote desktop connection hosted on the remote site.

Now we have 2 Citrix Server farms,

The legacy citrix server farm uses the mpls connection.

The new citrix farm uses the internet.

Hi,

if you have AD, the best setup is the following:

Internal clients > internal DNS server > UTM > Internet

Internal Clients should all use the internal DNS server to resolve eg via DHCP. There should be no internal client pointing to the UTM or to an external DNS server eg 8.8.8.8

The internal DNS server should forward to the UTM for external DNS requests. The UTM should only allow on it's DNS proxy to the internal DNS server/s and not the clients

OPTIONAL: The UTM should also have request routing setup to resolve to the internal domains. That way, it can resolve a host in your internal DNS zones without you having to enter a static entry on the UTM itself and you only have to manage DNS eg create static entries in your internal DNS server only. You may want to create reverse lookup request routing too with this. This just makes it more elegant.

We find the above the best setup as we know that nobody can get out of our network via DNS even if they set themselves up statically. There are no DNS firewall rules, just simply the DNS servers allowed to query the UTM DNS proxy.

Also in the UTM, with your external DNS servers, place them in an availability group rather than just a list.

A word of caution:
Think about how DNS should flow eg internal clients should resolve to the internal DNS server for all internal DNS requests. This could even be for an external domain that you control eg when road warriors are within your network they resolve the FQDN to the internal ip whereas when they are outside the network, they resolve the same FQDN to the external ip.

Don't put request routing into the UTM for your external domain unless you are totally authoritative for that zone ie you run a DNS server that allows external clients to resolve to it.
Most people use an external DNS provider for this and in this case, the UTM should resolve to that provider for that zone and you edit your static entries there as you normally would.

If you are worried about performance, you can configure UTM to ignore remote.com traffic.  

• In transparent mode, you use a UTM skiplist.  
• In Standard mode, you make the exception in the proxy script.  

Based on my experience with remote access to Citrix, UTM bypass is recommended.  

Either ICA confused UTM, or UTM confused ICA.   ICA is certainly not normal HTTPS.  

However, both the ICA Client and UTM have changed over the last two years, so your experience may be different.

Stas authentication is already configured, currently using a xg as email mta, while deciding to try the utm to be the primary firewall.

Its weird the way dns is working, not all the time my wireless clients actually use a dns server from remote.com

That is probably a active issue, on my local dns has the servers for the remote.com as well as local dns servers.

Both sites have their subnets together when You look at the active directory sites and services.

Right now the legacy citrix farm is routed to remote.com via internal router with incoming mpls connection.  The new citrix farm goes out through the internet to access remote.com

I just had a user log on to a server in the datacenter to run a report on the server that took 5 minutes to run.  If he runs the report on his pc, it takes up to 2 hours to run.