DC and DNS attached to LAN

Hi all,
I have a domain controller which is also a DNS for internal name resolutions. I want to allow clients to connect to the internet, i.e. they should be to resolve external names (e.g. google.com).
Is it secure to configure my DNS with the ISP's DNS (as a forwarder), knowing that my DNS is attached to the LAN port of the firewall (and not to the DMZ port)?
Normally, we have a forwarder attached to the DMZ, and this one will have againa forwarder which is the ISP's DNS.
Who is Participating?
BrianConnect With a Mentor IT ManagerCommented:
Netman66 is correct, set up the forwarding on your internal DNS server to go to your ISP's DNS HOWEVER I would create a rule on your firewall that only allows UDP 53 outbound from your internal DNS servers IP address.  That way your clients cannot bypass your DNS setup.  It also ensures that only query related traffic will go out your firewall on not zone transfers.

Nothing in this world is secure, but I personally would have no problem with your proposed configuration. Another solution would be to include the ISP's DNS in the DHCP scope settings that is given to the clients if you do not want your DNS to make querys out.
Setup Forwarding to your ISP from your DNS server.

Do not give the clients any DNS server addresses other than your own or you'll end up with AD issues if the clients attempt to use the ISP's DNS rather than your own.

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

True if ISP DNS is before your own in DNS search order, but still go with recomendation ofn Netman66 it is the most sensible thing to do
You should NEVER put ISP DNS entries in your IP config if you are under a domain.  It will always cause problems.  And you don't protect anything since you still share a common IP address.  Just place a forwarder if you want to and be done with it.  No need for a DMZ in this scenario unless you want to protect an open service from the potential of being hacked and compromising your entire network.
sunreflex4Author Commented:
Well, all answers were helpful, so thanks everybody
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.