?
Solved

Resolving External DNS request with Internal DNS

Posted on 2009-04-09
7
Medium Priority
?
534 Views
Last Modified: 2012-05-06
We are planning to put web servers in the DMZ.
We have an AD domain internally. We don't have public DNS in the DMZ or at the ISP.
We just have registered Public IPs.
Is it possible to resolve external requests from the internal DNS without encurring any security risk?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Assisted Solution

by:boat_anker
boat_anker earned 400 total points
ID: 24106466
I would recommend putting a DNS server in the DMZ to resolve the external requests.

Any time you open a port you increase the risk
0
 
LVL 8

Assisted Solution

by:brittonv
brittonv earned 400 total points
ID: 24106486
The quick answer is "not really."

Regardless, If I were you there are 2 options.  

Use the DNS server of your domain registrar.  Most of them now have managed DNS services.

Secondly install 2 linux dns server on the DMZ on some old hardware.  
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106588

You can use your internal servers as name servers for your external domain. Technically, that is possible.

However, on a security basis, it wouldn't be recommended. You should never open up your internal Active Directory DNS servers to the Internet, since doing so would enable any external user to query any zone on the server, and potential discover the structure and organisation of your internal domain deployment. From a security standpoint, you would need to deploy DNS servers running on more suitable software if you wished to host your own DNS; BIND on a Solaris system is a common recommendation for external name server hosting.

-Matt
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:jskfan
ID: 24106643
<<<You can use your internal servers as name servers for your external domain. Technically, that is possible.>>>

how do you set it up?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106675

Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.

Once you open port 53, be ready to have see your Internet bandwidth usage skyrocket, as you will essentially be opening up a public DNS server to the Internet which has recursion enabled.

DNS via BIND is much more secure, as it allows more granular control over various features, and since it will be dedicated to resolving for your domain, recursion can be disabled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24111014

<<<Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.>>>
This sounds like I will still need an external DNS (somewhere in the DMZ) with a zone named ns1.mydomai.com.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 1200 total points
ID: 24111500

Ideally, yes, that is what you need. For security reasons, you need a dedicated box, outside the domain in the DMZ, running BIND on some sort of *nix platform. BIND's implementation of DNS is much more secure than MS DNS, with more granular control.

If you are hosting your own DNS, you also need to strongly consider resilience. Ideally, you have AT LEAST 2 DNS servers in separate sites, so DNS records will still resolve. What you don't want to happen is for your DNS to be taken out; if a mail server, for example, cannot obtain your MX records, it may bounce the mail, rather than wait 2 days to attempt to deliver to your MX record prior to bouncing.

-Matt
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question