• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

Placing a Public DNS server on the inside interface of PIX 506E

Hello Everyone,

What is most effictive way to move an existing Active Directory based DNS name server to a inside network of the pix ?
Is this doable ? What pros and cons about it ?

Can some provide a walk through of this configuration ?

Here is a basic diagram of the current configuration:
<internet>---<ISP Router>---<Switch>
                                               --> 1). AD with AD intetgrated DNS - used as primary namer server
                                               --> 2). S - AD with AD integrated DNS - used as secondary name server
                                               --> 3). PIX 506
                                                      ---> Webservers and Mail servers in the inside network with static nat on them.

Since we use AD with integrated DNS for name server resolutions for many domains that are hosted, what is the most reliable method here ?
Can you use DNS doctoring on the PIX, if  you move the AD Servers inside ?
0
tssiva
Asked:
tssiva
  • 4
  • 4
1 Solution
 
lrmooreCommented:
AD DNS should be internal - only
Public DNS should be external - only
Never the two should be on the same system.
AD DNS servers can service internal users with root hints only
AD DNS servers cannot service the public with public IP's and Internal users with internal private IP's
Get used to the idea that these are two very distinct and different services.

DNS doctoring does *NOT* work if the DNS server is internal
0
 
tssivaAuthor Commented:
So, in this case then external DNS server should just handle DNS ?
How would you secure your external DNS servers ?
0
 
lrmooreCommented:
Yes, external dns servers only handle dns and nothing more. Does not take a lot of muscle or horsepower so a very small server would be fine. Else you can always have your ISP be your primary dns for your domain.

If I had my own (you need 2 for a fully registered domain), then I would put them in a DMZ and only open udp port 53 up to them through the firewall.
The DNS fixup protocol feature of the PIX reduces threats and putting it in the DMZ keeps the PIX as a buffer
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
tssivaAuthor Commented:
So in this case i would need a DMZ model Pix like 515E or can this be done with 506E using the virutal interfaces ?
0
 
lrmooreCommented:
You can use virtual interfaces on the 506e to create a DMZ
0
 
tssivaAuthor Commented:
Can you provide the steps to do this ? If you want i can post this as a sperate questions and provide you points. Please let me know.

Thanx.
0
 
lrmooreCommented:
Please post as a new question. I'll be happy to provide step--by-step
0
 
tssivaAuthor Commented:
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now