Scribd
Upload
113 views6 pages

DMZ DNS Configuration Best Practice - TechRepublic

The document discusses DNS configuration best practices for a DMZ network. It describes the existing DNS setup which includes internal and DMZ DNS servers. The DMZ DNS servers host internal DNS records and the Exchange server authenticates to internal domain controllers. The responses discuss whether the DMZ DNS setup is appropriate and provide recommendations to improve the security of the DNS and Active Directory configurations.

Uploaded by

Akram Alqadasi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views6 pages

DMZ DNS Configuration Best Practice - TechRepublic

The document discusses DNS configuration best practices for a DMZ network. It describes the existing DNS setup which includes internal and DMZ DNS servers. The DMZ DNS servers host internal DNS records and the Exchange server authenticates to internal domain controllers. The responses discuss whether the DMZ DNS setup is appropriate and provide recommendations to improve the security of the DNS and Active Directory configurations.

Uploaded by

Akram Alqadasi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Join /

More Newsletters Forums Resource Library Sign In Search

Networks
REGISTER NOW or LOG IN to post

QUESTION

August 7, 2009 at 11:39 am #2199754

LOCKED

DMZ DNS configuration best practice


by mwoods269
· about 12 years, 8 months ago

Hello all,

I just inherited a network where they are using public IPs for everything in the DMZ. The firewall is configured in “drop in”
mode and all DMZ servers have public IP’s.

My question is in regards to configuring DMZ DNS servers. Our exchange server is in the DMZ and authenicates to internal
DC’s. This servers primary dns points to internal dns server and it’s secondary points to a dmz dns server. Can you tell me
what the configuraton would look like for this setup.

The DMZ dns servers are configured with our internal dns zone records for our 2 interal DC’s. Isn’t it a bad thing to host
internal dns records on public facing servers?

Please help!


This conversation is currently closed to new comments.

ALL ANSWERS

August 7, 2009 at 11:39 am #3003677

Clarifications
by mwoods269
· about 12 years, 8 months ago
In reply to DMZ DNS configuration best practice

Clarifications

August 7, 2009 at 11:46 am #3003674

Are you sure?


by cg it
· about 12 years, 8 months ago
In reply to DMZ DNS configuration best practice
Join /
More Newsletters Forums Resource Library Search
Sign In
check with your domain name registar on who [what servers] are the authoritative Name Servers for your domain name [there
should be two]. If your DMZ DNS servers are the authoritative name servers for your domain name, then they should be in the
DMZ. They will also provide the Alias translation between public and private names.

Next ask yourself if your Exchange Server is in the DMZ, is it configured as a Bridgehead or a Front End Exchange?

Last question you should ask yourself is, are non DMZ DNS servers domain name public or private.

Armed with answers to those questions, how the network is configured might make sense.

August 10, 2009 at 11:54 am #3003810

Summary of network
by mwoods269
· about 12 years, 8 months ago
In reply to DMZ DNS configuration best practice

OK here is what I am dealing with:

Fatpipe ISP load balancer hosting external DNS records for our domain

2 – DMZ DNS servers

– no forwarders configured

– zone transfers all from any server for the internal .local zone

– hosts forward lookup zones for DMZ as well as our internal resources

– both point to themselves for DNS and to the Fatpipe for secondary dns

2 – internal dns servers

– forwarders set to ISP dns servers

– both point to themselves for dns and to each other for secondary dns

– both contain zones for internal and dmz resources

– both have A records for DMZ hosts

– zone transfers to servers listed in name servers tab (2 internal and 1 dmz

I hope this helps get us started.

The Exchange server is standalone and serving email for our users.

August 10, 2009 at 1:27 pm #3003766

DNS on DMZ
by cg it
· about 12 years, 8 months ago
In reply to Summary of network

Quick and Dirty:

typically DNS servers in a DMZ [meaning behind the perimeter firewall and in front of the local network firewall,
typically are for authoritative name servers for a FQDN. These authoritative name servers provide public address to
FQDN resolution for Internet WhoIs queries. These DNS servers can also provide alias support for the local network in
translating a public name to a private name eg .com to a .local
DNS servers behind the local network firewall provide local network name to address resolution for local network
More Newsletters Forums Resource Library Join / Search
queries. Typically in an Active Directory or Directory Services environment. Sign In

When the local DNS server can not answer queries they forward that query to other name servers for resolution.
Example, a web site using your FQDN .com can’t be answered by your internal DNS servers because they can only
resolve a private name .local to an address. So it forward those to the Internet root-hint servers. These servers put out
a WhoIs query eg. WhoIs .com if your DMZ DNS servers are the authoritative DNS servers for your domain name, they
answer the query .com = your public IP address. Therefore the answer to the query is your public IP address. Traffic is
then sent to that address over the specific protocol port. example you host your web site .com on a web server in your
DMZ. Traffic would be sent to your public IP address over port 80. you forward that port traffic [port 80] through your
perimeter router to your web server which will then provide the web page.

So this is why in my original post I asked, are you sure? DNS servers in a DMZ play a role if those DNS servers are the
authoritative DNS for your public domain name. They provide name to public address resolution for your FQDN.
Without that, no one would know that FQDN domain.com is your public IP address and then send traffic to you such as
email.

August 10, 2009 at 2:03 pm #3003746

Well Explained v/ v/
by robo_dev
· about 12 years, 8 months ago
In reply to DNS on DMZ

And, call me crazy, but there are significant security risks to exactly how your expose DNS and AD to your DMZ.

Since LDAP, by default, is not encrypted, you really need to look at technology such as ADFS (Active Directory
Federated Services) to effectively ‘proxify’ and sign/encrypt AD LDAP traffic to/from DMZ.

Of course the best answer is to ‘say no’ and not allow AD to cross the firewall in the first place….

August 10, 2009 at 3:18 pm #3004385

Yep!! big hole…


by cg it
· about 12 years, 8 months ago
In reply to Well Explained v/ v/

AD DNS really doesn’t have to cross into the DMZ. AD only need DNS for the local LAN. Doesn’t care about
anything else.

Viewing 2 reply threads

Search our forums

START OR SEARCH
START NEW DISCUSSION Join /
More Newsletters Forums Resource Library Search
Sign In

Search our forums

WHITE PAPERS, WEBCASTS, AND DOWNLOADS

Work Smarter with Wrike


Resource Center from Wrike

CLAIM YOUR FREE TRIAL

Stay Productive and Connected in a Hybrid World


White Papers from Ebuyer Business

DOWNLOAD NOW

New Solutions for Endpoint Management


White Papers from Ebuyer Business

DOWNLOAD NOW

Automate Tasks in Excel & Handle Data Like a Certified Pro


Training from TechRepublic Academy

LEARN MORE

Become an Ethical Hacker Bonus Bundle


Training from TechRepublic Academy

LEARN MORE

RELATED DISCUSSIONS

DSL speed and resuming


jhoncarry
· about 2 days, 8 hours ago

Wi-Fi access point with limited web traffic


_maxim_
· about 6 days, 15 hours ago

how to set http proxy on adsl modem


senatorpc
· about 1 week, 1 day ago

wifi router settings for compressor with web server


seanrubes
· about 1 week, 4 days ago

Managed Cisco POE+ reccomendations


chinson-pdx
· about 3 weeks, 2 days ago

RELATED FORUMS

Desktop · 25,132 discussions


Laptops · 2,619 discussions Join /
More Newsletters Forums Resource Library Search
Sign In
Hardware · 18,937 discussions

Networks · 41,354 discussions

Storage · 2,060 discussions

Peripheral · 2,114 discussions

WHITE PAPERS, WEBCASTS, AND DOWNLOADS

Work Smarter with Wrike


Resource Center from Wrike

CLAIM YOUR FREE TRIAL

New Solutions for Endpoint Management


White Papers from Ebuyer Business

DOWNLOAD NOW

Stay Productive and Connected in a Hybrid World


White Papers from Ebuyer Business

DOWNLOAD NOW

The Machine Learning and Artificial Intelligence Bundle


Training from TechRepublic Academy

LEARN MORE

Top Story of the Day


If you can only read one tech story a day,
this is it.

Email Address

Please select your country.


 

I agree to the
Terms of Use
and
Privacy Policy
. I understand I will
receive a complimentary subscription to TechRepublic's News and
Special Offers newsletter, and Top Story of the Day newsletter (you
can opt out at any time).

S b ib
Join /
More Newsletters Forums Resource Library Sign In Search

Software Procurement Policy

How to recruit and hire a Security Analyst

How to recruit and hire a DevOps engineer

How to recruit and hire a video game quest writer

SERVICES

About Us FAQ

Membership Advertise

Newsletters Do Not Sell My Information

RSS Feeds

Site Map

Site Help & Feedback

EXPLORE

Downloads Resource Library

TechRepublic Forums Photos

Meet the Team Videos

TechRepublic Academy

TechRepublic Premium

© 2022 TechnologyAdvice. All rights reserved.


Privacy Policy Terms of Use Property of TechnologyAdvice

You might also like