Solved

Resolving External DNS request with Internal DNS

Posted on 2009-04-09
7
529 Views
Last Modified: 2012-05-06
We are planning to put web servers in the DMZ.
We have an AD domain internally. We don't have public DNS in the DMZ or at the ISP.
We just have registered Public IPs.
Is it possible to resolve external requests from the internal DNS without encurring any security risk?

Thanks
0
Comment
Question by:jskfan
7 Comments
 
LVL 3

Assisted Solution

by:boat_anker
boat_anker earned 100 total points
ID: 24106466
I would recommend putting a DNS server in the DMZ to resolve the external requests.

Any time you open a port you increase the risk
0
 
LVL 8

Assisted Solution

by:brittonv
brittonv earned 100 total points
ID: 24106486
The quick answer is "not really."

Regardless, If I were you there are 2 options.  

Use the DNS server of your domain registrar.  Most of them now have managed DNS services.

Secondly install 2 linux dns server on the DMZ on some old hardware.  
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106588

You can use your internal servers as name servers for your external domain. Technically, that is possible.

However, on a security basis, it wouldn't be recommended. You should never open up your internal Active Directory DNS servers to the Internet, since doing so would enable any external user to query any zone on the server, and potential discover the structure and organisation of your internal domain deployment. From a security standpoint, you would need to deploy DNS servers running on more suitable software if you wished to host your own DNS; BIND on a Solaris system is a common recommendation for external name server hosting.

-Matt
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:jskfan
ID: 24106643
<<<You can use your internal servers as name servers for your external domain. Technically, that is possible.>>>

how do you set it up?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106675

Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.

Once you open port 53, be ready to have see your Internet bandwidth usage skyrocket, as you will essentially be opening up a public DNS server to the Internet which has recursion enabled.

DNS via BIND is much more secure, as it allows more granular control over various features, and since it will be dedicated to resolving for your domain, recursion can be disabled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24111014

<<<Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.>>>
This sounds like I will still need an external DNS (somewhere in the DMZ) with a zone named ns1.mydomai.com.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 300 total points
ID: 24111500

Ideally, yes, that is what you need. For security reasons, you need a dedicated box, outside the domain in the DMZ, running BIND on some sort of *nix platform. BIND's implementation of DNS is much more secure than MS DNS, with more granular control.

If you are hosting your own DNS, you also need to strongly consider resilience. Ideally, you have AT LEAST 2 DNS servers in separate sites, so DNS records will still resolve. What you don't want to happen is for your DNS to be taken out; if a mail server, for example, cannot obtain your MX records, it may bounce the mail, rather than wait 2 days to attempt to deliver to your MX record prior to bouncing.

-Matt
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question