• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 221
  • Last Modified:

DC and DNS attached to LAN

Hi all,
I have a domain controller which is also a DNS for internal name resolutions. I want to allow clients to connect to the internet, i.e. they should be to resolve external names (e.g. google.com).
Is it secure to configure my DNS with the ISP's DNS (as a forwarder), knowing that my DNS is attached to the LAN port of the firewall (and not to the DMZ port)?
Normally, we have a forwarder attached to the DMZ, and this one will have againa forwarder which is the ISP's DNS.
1 Solution
Nothing in this world is secure, but I personally would have no problem with your proposed configuration. Another solution would be to include the ISP's DNS in the DHCP scope settings that is given to the clients if you do not want your DNS to make querys out.
Setup Forwarding to your ISP from your DNS server.

Do not give the clients any DNS server addresses other than your own or you'll end up with AD issues if the clients attempt to use the ISP's DNS rather than your own.

True if ISP DNS is before your own in DNS search order, but still go with recomendation ofn Netman66 it is the most sensible thing to do
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

You should NEVER put ISP DNS entries in your IP config if you are under a domain.  It will always cause problems.  And you don't protect anything since you still share a common IP address.  Just place a forwarder if you want to and be done with it.  No need for a DMZ in this scenario unless you want to protect an open service from the potential of being hacked and compromising your entire network.
Netman66 is correct, set up the forwarding on your internal DNS server to go to your ISP's DNS HOWEVER I would create a rule on your firewall that only allows UDP 53 outbound from your internal DNS servers IP address.  That way your clients cannot bypass your DNS setup.  It also ensures that only query related traffic will go out your firewall on not zone transfers.

sunreflex4Author Commented:
Well, all answers were helpful, so thanks everybody

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now