DC and DNS attached to LAN

Posted on 2005-04-26
Last Modified: 2010-04-18
Hi all,
I have a domain controller which is also a DNS for internal name resolutions. I want to allow clients to connect to the internet, i.e. they should be to resolve external names (e.g.
Is it secure to configure my DNS with the ISP's DNS (as a forwarder), knowing that my DNS is attached to the LAN port of the firewall (and not to the DMZ port)?
Normally, we have a forwarder attached to the DMZ, and this one will have againa forwarder which is the ISP's DNS.
Question by:sunreflex4
    LVL 9

    Expert Comment

    Nothing in this world is secure, but I personally would have no problem with your proposed configuration. Another solution would be to include the ISP's DNS in the DHCP scope settings that is given to the clients if you do not want your DNS to make querys out.
    LVL 51

    Expert Comment

    Setup Forwarding to your ISP from your DNS server.

    Do not give the clients any DNS server addresses other than your own or you'll end up with AD issues if the clients attempt to use the ISP's DNS rather than your own.

    LVL 9

    Expert Comment

    True if ISP DNS is before your own in DNS search order, but still go with recomendation ofn Netman66 it is the most sensible thing to do
    LVL 13

    Expert Comment

    You should NEVER put ISP DNS entries in your IP config if you are under a domain.  It will always cause problems.  And you don't protect anything since you still share a common IP address.  Just place a forwarder if you want to and be done with it.  No need for a DMZ in this scenario unless you want to protect an open service from the potential of being hacked and compromising your entire network.
    LVL 20

    Accepted Solution

    Netman66 is correct, set up the forwarding on your internal DNS server to go to your ISP's DNS HOWEVER I would create a rule on your firewall that only allows UDP 53 outbound from your internal DNS servers IP address.  That way your clients cannot bypass your DNS setup.  It also ensures that only query related traffic will go out your firewall on not zone transfers.


    Author Comment

    Well, all answers were helpful, so thanks everybody

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This video discusses moving either the default database or any database to a new volume.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now