Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is it a security risk to use your lan dns server for you dns in your router

Posted on 2008-11-19
7
Medium Priority
?
261 Views
Last Modified: 2013-12-04
Is it a serious security risk to use your Lan DNS Server for the DNS in your edge router... I have several servers and services running on my lan... My purpose in doing this is when my WAN dns (I subscribed to) directs traffic to my WAN address. Currently I use Porting to direct all traffic to a specific server. IE. all port 80 traffic goes to one Specific Server.  However, this is a slight problem because it mean that the router is not taking in consideration what I have for my "domain.com" LAN DNS. Therefore, if I had a web server say on *.*.*.250 and an Exchange server on *.*.*.252 all incoming traffic is currently going to follow my "Port" Rule in my router and will not take in consideration that my internal dns says that my (mail.domain.com should go to *.*.*.252 and my www.domain.com should go to *.*.*.250). However, internally if I type my www or mail they go to the correct servers. I understand why the problem exists.... Just merely want to know if it is possible and how risky it is to use my internal dns on the router and then use the forwarders on my dns server to send my internal traffic outward.

Hope this makes sense.  This is not something I am going to immediately try... just something I have been thinking about and wondering the overall result.


0
Comment
Question by:bkready
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 23000545


1. your router DNS is just a pointer. it do not resolved to google or what so ever.
2. your router DNS do not resolved required the ability to browse the internet.

only thing that might raise up is what IF your internal DNS server down. what is your consequence?
what will not working.?


So it depends on what your router DNS is doing. For me, i only see it works very little unless the router is doing something that i do not know
0
 

Author Comment

by:bkready
ID: 23001124
With all due respect your comment makes no sense. If your saying a routers DNS does very little then what difference does it make if my internal DNS went down.... if that was the case I would have much bigger problems then simply the routers dns itself! My domain would be in sad shape...however that being said I have 2 backup DNS Servers on my network... the probability of all 3 going down is slim I am quite sure of that! All 3 are are listed in the DHCP Scope options. So all my workstations should never be without a good dns server unless severe other hardware failures occur but that isn't the point of my original question. I simply want to know whether putting my Internal DNS server in my router will direct traffic instead of using porting... and 2nd'ly is it a major security risk if I were to do this. It has already been decided that we are not doing this, but I still want to know if my idea would work.

 
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 23001156
Okay, let start from beginning ..
you have
web server say on *.*.*.250
an Exchange server on *.*.*.252


you have 1 Public IP address

so when outside they trying to find you on www.mydomain.com or mail.mydomain.com it will point to <XX.XX.XX.XX>

So far i am getting it right?

you only have 1 port 443 open ... so if you want to put www.mydomain.com on port 80, and redirect mail.mydomain.com to port 443. it is a port redirection

I misread the idea what you want.. so you are right. Putting the internal DNS in your WAN router do not able to spilt the traffic to the right location.


0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 23001983
 No, there are no real issues there.

  About the only consideration you have is DNS poisoning, which still affects (patched) DNS servers passing though a dynamic NAT, and you have that problem anyhow (regardless of where you point your router's dns resolution) - provided you are using your ISP's resolvers though rather than walking the tree yourself, that is a non-issue (well, you are offloading the problem onto your ISP, but it amounts to the same thing)

  DNS resolution on the edge router itself is very rarely used anyhow - unless you are running some sort of proxy on there, it works almost exclusively on the IP level.

  One consideration, and why many home setups use an edge router as the authoritative forward target for their internal (LAN) dns, is that the ISP may dynamically assign an IP and DNS during their channel negotiation (from the edge router) in xDSL setups, and if that changes, dns may mysteriously fail (because your hardcoded  settings are no longer correct for your new IP after a isp-side change) - however, this is rare, and can usually be guarded against by adding something like opendns as as second forward target in your real dns server.
0
 
LVL 5

Accepted Solution

by:
Dawilliams earned 825 total points
ID: 23004753
A proper configuration would have the DNS in the DHCP options,DNS server point to itself,and forwarders point to the isp's DNS servers, putting you internal DNS server in the router config makes no sense and most likely would poison dns or not work at all. All forwarding from your router to the internal Lan would be done at the port level  www.mydomain.com:80 > 192.168.10.1:250, mail.mydomain.com :443 > 192.168.10.1.443 or could be done on a host header level.
As to the question no most likley there is no security issue, but I would keep my internal DNS as Internal as possible IE not on an edge router
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 23005263
I am still wondering what he is running on the edge router that it would *care* where it got dns from :)
0
 
LVL 5

Expert Comment

by:Dawilliams
ID: 23005367
I may be wrong, and I mean no offense but I believe he either mistyped or misses the process that happens on the router, I agree there is no DNS function going on it merley points to the next hop, or does processing. based on the ACL.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question