Solved

Resolving External DNS request with Internal DNS

Posted on 2009-04-09
7
525 Views
Last Modified: 2012-05-06
We are planning to put web servers in the DMZ.
We have an AD domain internally. We don't have public DNS in the DMZ or at the ISP.
We just have registered Public IPs.
Is it possible to resolve external requests from the internal DNS without encurring any security risk?

Thanks
0
Comment
Question by:jskfan
7 Comments
 
LVL 3

Assisted Solution

by:boat_anker
boat_anker earned 100 total points
ID: 24106466
I would recommend putting a DNS server in the DMZ to resolve the external requests.

Any time you open a port you increase the risk
0
 
LVL 8

Assisted Solution

by:brittonv
brittonv earned 100 total points
ID: 24106486
The quick answer is "not really."

Regardless, If I were you there are 2 options.  

Use the DNS server of your domain registrar.  Most of them now have managed DNS services.

Secondly install 2 linux dns server on the DMZ on some old hardware.  
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106588

You can use your internal servers as name servers for your external domain. Technically, that is possible.

However, on a security basis, it wouldn't be recommended. You should never open up your internal Active Directory DNS servers to the Internet, since doing so would enable any external user to query any zone on the server, and potential discover the structure and organisation of your internal domain deployment. From a security standpoint, you would need to deploy DNS servers running on more suitable software if you wished to host your own DNS; BIND on a Solaris system is a common recommendation for external name server hosting.

-Matt
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:jskfan
ID: 24106643
<<<You can use your internal servers as name servers for your external domain. Technically, that is possible.>>>

how do you set it up?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24106675

Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.

Once you open port 53, be ready to have see your Internet bandwidth usage skyrocket, as you will essentially be opening up a public DNS server to the Internet which has recursion enabled.

DNS via BIND is much more secure, as it allows more granular control over various features, and since it will be dedicated to resolving for your domain, recursion can be disabled.

-Matt
0
 

Author Comment

by:jskfan
ID: 24111014

<<<Simply open port 53 and create the appropriate DNS zone. Externally, create a subdomain called 'ns1.yourdomain.com' and set it as an 'A' record to your external public IP address. Then point your nameservers at your domain registrar to ns1.yourdomain.com.>>>
This sounds like I will still need an external DNS (somewhere in the DMZ) with a zone named ns1.mydomai.com.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 300 total points
ID: 24111500

Ideally, yes, that is what you need. For security reasons, you need a dedicated box, outside the domain in the DMZ, running BIND on some sort of *nix platform. BIND's implementation of DNS is much more secure than MS DNS, with more granular control.

If you are hosting your own DNS, you also need to strongly consider resilience. Ideally, you have AT LEAST 2 DNS servers in separate sites, so DNS records will still resolve. What you don't want to happen is for your DNS to be taken out; if a mail server, for example, cannot obtain your MX records, it may bounce the mail, rather than wait 2 days to attempt to deliver to your MX record prior to bouncing.

-Matt
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Resolve DNS query failed errors for Exchange
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now