Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Resolving External DNS request with Internal DNS

Posted on 2009-04-09
7
Medium Priority
?
535 Views
Last Modified: 2012-05-06
We are planning to put web servers in the DMZ.
We have an AD domain internally. We don't have public DNS in the DMZ or at the ISP.
We just have registered Public IPs.
Is it possible to resolve external requests from the internal DNS without encurring any security risk?

Thanks
0
Comment
Question by:jskfan
7 Comments
 
LVL 3

Assisted Solution

by:boat_anker
boat_anker earned 400 total points
ID: 24106466
I would recommend putting a DNS server in the DMZ to resolve the external requests.

Any time you open a port you increase the risk
0
 
LVL 8

Assisted Solution

by:brittonv
brittonv earned 400 total points
ID: 24106486
The quick answer is "not really."

Regardless, If I were you there are 2 options.  

Use the DNS server of your domain registrar.  Most of them now have managed DNS services.

Secondly install 2 linux dns server on the DMZ on some old hardware.  
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106588

You can use your internal servers as name servers for your external domain. Technically, that is possible.

However, on a security basis, it wouldn't be recommended. You should never open up your internal Active Directory DNS servers to the Internet, since doing so would enable any external user to query any zone on the server, and potential discover the structure and organisation of your internal domain deployment. From a security standpoint, you would need to deploy DNS servers running on more suitable software if you wished to host your own DNS; BIND on a Solaris system is a common recommendation for external name server hosting.

-Matt
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jskfan
ID: 24106643
<<<You can use your internal servers as name servers for your external domain. Technically, that is possible.>>>

how do you set it up?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106675

Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.

Once you open port 53, be ready to have see your Internet bandwidth usage skyrocket, as you will essentially be opening up a public DNS server to the Internet which has recursion enabled.

DNS via BIND is much more secure, as it allows more granular control over various features, and since it will be dedicated to resolving for your domain, recursion can be disabled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24111014

<<<Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.>>>
This sounds like I will still need an external DNS (somewhere in the DMZ) with a zone named ns1.mydomai.com.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 1200 total points
ID: 24111500

Ideally, yes, that is what you need. For security reasons, you need a dedicated box, outside the domain in the DMZ, running BIND on some sort of *nix platform. BIND's implementation of DNS is much more secure than MS DNS, with more granular control.

If you are hosting your own DNS, you also need to strongly consider resilience. Ideally, you have AT LEAST 2 DNS servers in separate sites, so DNS records will still resolve. What you don't want to happen is for your DNS to be taken out; if a mail server, for example, cannot obtain your MX records, it may bounce the mail, rather than wait 2 days to attempt to deliver to your MX record prior to bouncing.

-Matt
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question