Solved

Resolving External DNS request with Internal DNS

Posted on 2009-04-09
7
531 Views
Last Modified: 2012-05-06
We are planning to put web servers in the DMZ.
We have an AD domain internally. We don't have public DNS in the DMZ or at the ISP.
We just have registered Public IPs.
Is it possible to resolve external requests from the internal DNS without encurring any security risk?

Thanks
0
Comment
Question by:jskfan
7 Comments
 
LVL 3

Assisted Solution

by:boat_anker
boat_anker earned 100 total points
ID: 24106466
I would recommend putting a DNS server in the DMZ to resolve the external requests.

Any time you open a port you increase the risk
0
 
LVL 8

Assisted Solution

by:brittonv
brittonv earned 100 total points
ID: 24106486
The quick answer is "not really."

Regardless, If I were you there are 2 options.  

Use the DNS server of your domain registrar.  Most of them now have managed DNS services.

Secondly install 2 linux dns server on the DMZ on some old hardware.  
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106588

You can use your internal servers as name servers for your external domain. Technically, that is possible.

However, on a security basis, it wouldn't be recommended. You should never open up your internal Active Directory DNS servers to the Internet, since doing so would enable any external user to query any zone on the server, and potential discover the structure and organisation of your internal domain deployment. From a security standpoint, you would need to deploy DNS servers running on more suitable software if you wished to host your own DNS; BIND on a Solaris system is a common recommendation for external name server hosting.

-Matt
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:jskfan
ID: 24106643
<<<You can use your internal servers as name servers for your external domain. Technically, that is possible.>>>

how do you set it up?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106675

Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.

Once you open port 53, be ready to have see your Internet bandwidth usage skyrocket, as you will essentially be opening up a public DNS server to the Internet which has recursion enabled.

DNS via BIND is much more secure, as it allows more granular control over various features, and since it will be dedicated to resolving for your domain, recursion can be disabled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24111014

<<<Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.>>>
This sounds like I will still need an external DNS (somewhere in the DMZ) with a zone named ns1.mydomai.com.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 300 total points
ID: 24111500

Ideally, yes, that is what you need. For security reasons, you need a dedicated box, outside the domain in the DMZ, running BIND on some sort of *nix platform. BIND's implementation of DNS is much more secure than MS DNS, with more granular control.

If you are hosting your own DNS, you also need to strongly consider resilience. Ideally, you have AT LEAST 2 DNS servers in separate sites, so DNS records will still resolve. What you don't want to happen is for your DNS to be taken out; if a mail server, for example, cannot obtain your MX records, it may bounce the mail, rather than wait 2 days to attempt to deliver to your MX record prior to bouncing.

-Matt
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
Resolve DNS query failed errors for Exchange
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question