Is it a security risk to use your lan dns server for you dns in your router

Is it a serious security risk to use your Lan DNS Server for the DNS in your edge router... I have several servers and services running on my lan... My purpose in doing this is when my WAN dns (I subscribed to) directs traffic to my WAN address. Currently I use Porting to direct all traffic to a specific server. IE. all port 80 traffic goes to one Specific Server.  However, this is a slight problem because it mean that the router is not taking in consideration what I have for my "domain.com" LAN DNS. Therefore, if I had a web server say on *.*.*.250 and an Exchange server on *.*.*.252 all incoming traffic is currently going to follow my "Port" Rule in my router and will not take in consideration that my internal dns says that my (mail.domain.com should go to *.*.*.252 and my www.domain.com should go to *.*.*.250). However, internally if I type my www or mail they go to the correct servers. I understand why the problem exists.... Just merely want to know if it is possible and how risky it is to use my internal dns on the router and then use the forwarders on my dns server to send my internal traffic outward.

Hope this makes sense.  This is not something I am going to immediately try... just something I have been thinking about and wondering the overall result.


bkreadyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:


1. your router DNS is just a pointer. it do not resolved to google or what so ever.
2. your router DNS do not resolved required the ability to browse the internet.

only thing that might raise up is what IF your internal DNS server down. what is your consequence?
what will not working.?


So it depends on what your router DNS is doing. For me, i only see it works very little unless the router is doing something that i do not know
0
bkreadyAuthor Commented:
With all due respect your comment makes no sense. If your saying a routers DNS does very little then what difference does it make if my internal DNS went down.... if that was the case I would have much bigger problems then simply the routers dns itself! My domain would be in sad shape...however that being said I have 2 backup DNS Servers on my network... the probability of all 3 going down is slim I am quite sure of that! All 3 are are listed in the DHCP Scope options. So all my workstations should never be without a good dns server unless severe other hardware failures occur but that isn't the point of my original question. I simply want to know whether putting my Internal DNS server in my router will direct traffic instead of using porting... and 2nd'ly is it a major security risk if I were to do this. It has already been decided that we are not doing this, but I still want to know if my idea would work.

 
0
Jian An LimSolutions ArchitectCommented:
Okay, let start from beginning ..
you have
web server say on *.*.*.250
an Exchange server on *.*.*.252


you have 1 Public IP address

so when outside they trying to find you on www.mydomain.com or mail.mydomain.com it will point to <XX.XX.XX.XX>

So far i am getting it right?

you only have 1 port 443 open ... so if you want to put www.mydomain.com on port 80, and redirect mail.mydomain.com to port 443. it is a port redirection

I misread the idea what you want.. so you are right. Putting the internal DNS in your WAN router do not able to spilt the traffic to the right location.


0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Dave HoweSoftware and Hardware EngineerCommented:
 No, there are no real issues there.

  About the only consideration you have is DNS poisoning, which still affects (patched) DNS servers passing though a dynamic NAT, and you have that problem anyhow (regardless of where you point your router's dns resolution) - provided you are using your ISP's resolvers though rather than walking the tree yourself, that is a non-issue (well, you are offloading the problem onto your ISP, but it amounts to the same thing)

  DNS resolution on the edge router itself is very rarely used anyhow - unless you are running some sort of proxy on there, it works almost exclusively on the IP level.

  One consideration, and why many home setups use an edge router as the authoritative forward target for their internal (LAN) dns, is that the ISP may dynamically assign an IP and DNS during their channel negotiation (from the edge router) in xDSL setups, and if that changes, dns may mysteriously fail (because your hardcoded  settings are no longer correct for your new IP after a isp-side change) - however, this is rare, and can usually be guarded against by adding something like opendns as as second forward target in your real dns server.
0
DawilliamsCommented:
A proper configuration would have the DNS in the DHCP options,DNS server point to itself,and forwarders point to the isp's DNS servers, putting you internal DNS server in the router config makes no sense and most likely would poison dns or not work at all. All forwarding from your router to the internal Lan would be done at the port level  www.mydomain.com:80 > 192.168.10.1:250, mail.mydomain.com :443 > 192.168.10.1.443 or could be done on a host header level.
As to the question no most likley there is no security issue, but I would keep my internal DNS as Internal as possible IE not on an edge router
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
I am still wondering what he is running on the edge router that it would *care* where it got dns from :)
0
DawilliamsCommented:
I may be wrong, and I mean no offense but I believe he either mistyped or misses the process that happens on the router, I agree there is no DNS function going on it merley points to the next hop, or does processing. based on the ACL.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.