Solved

Simple question about DNS and firewalls

Posted on 2008-06-19
2
196 Views
Last Modified: 2010-04-07
This is a basic question about how DNS servers communicate with the outside world when firewalled.

My understanding is that DNS servers are supposed to be placed behind a hardware firewall. They should not be firewalled themselves. This allows them to communicate freely with machines in a local subnet.  

Suppose I have a collection of IIS servers with a bunch of websites. These websites use domain names and name resolution is being provided my DNS servers.

Given the fact that the boxes running DNS services are behind a firewall, there are one of two ways I can see how this works:

possibility a) all requests involving name resolution are being routed from the IIS server to my services running DNS. The IIS boxes are publicly exposed, the DNS boxes are not.

possiiblity b) there is some limited port open or communication between the DNS box and the outside world.

I'm finding this a bit confusing because if scenario a) is true it introduces a systemic dependency on those IIS boxes, and it also makes it hard to understand how widely distributed things involving DNS -- say, DFS file replication  -- works properly if the primary actors of that are behind hardware firewalls.

Thanks...
0
Comment
Question by:kennethfine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 21825215
I doubt either is true. If you don't have the DNS port 53 forwarded through the firewall to one of your DNS servers, then an external DNS system is resolving requests for the IP addresses of your IIS web servers. Only internal requests on the LAN will be resolved by the internal DNS servers because they are local and will be using the Active Directory DNS servers as their preferred servers.

Usually, you will have your DNS for external web domains hosted at either the web host, ISP or at a provider which you have brought in specifically to provide your DNS.

-tigermatt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21825291
Thanks kennethfine!
--tigermatt
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question