[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1164
  • Last Modified:

the concept of DMZ

In one company environment They have 2 DNS servers in the network. One of them holds records with public IP addresses and the other DNs holds records with private IP addresses.
they use one firewall facing Internet and it also does the translation One Record-To- One Record  between the DNS that holds the Records with public IPs and the DNS that holds records with private IPs.

I would like to know if this is called DMZ? or the DMZ is if they had the DNS with public IPs sitting between 2 firewalls? What is the difference?

thanks

0
jskfan
Asked:
jskfan
  • 7
  • 6
  • 2
2 Solutions
 
Roachy1979Commented:
The purpose of a DMZ is to segregate traffic between public facing services and private services....effectively so that no machines on the LAN have any services visible to the public internet.  This is conventionally achieved by having 2 firewalls....or by having a firewall with an interface assigned to the DMZ to facilitate filtering of traffic between the DMZ, public interface and the LAN.

It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....

See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

and

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm
0
 
jskfanAuthor Commented:
<<It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....>>>
 why it's less secure since the translation One to One Record is done through Firewall?

can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Thanks
0
 
jskfanAuthor Commented:
any updates??
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Roachy1979Commented:
The DMZ effectively stops permitted traffic..... I'll try to draw this out for you.

INTERNET>>>>>>><<<<<<<<DMZ<<<<<<<<<LAN

As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...)  LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....

As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm

Hope this helps



0
 
jskfanAuthor Commented:
I downloaded it and start Nessus client, Now when I add an IP address of a host or a subnet to scan
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"

I looked inservices and didn't see at all the Nessus server service .
0
 
Roachy1979Commented:
I thkink you replied to the wrong thread...but I'll jump over to that one too, to see if I can help!

0
 
jskfanAuthor Commented:
sorry , I did.
0
 
jskfanAuthor Commented:
I meant for this case of scenario where they have Public DNS inside the LAN not in The DMZ, how do they configure their Firewall to work with Public DNS?
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of  XYZ.com  204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com  10.10.10.10




0
 
Roachy1979Commented:
Yes....that's the right way to configure it in Windows - separate servers for public and private.  To be honest I avoid hosting my own public DNS.....it's yet another hole in the firewall that I don't particularly want....and both windows and BIND have had there share of vulnerabilities in the past.  The risk of a DNS server being compromised and that having a knock on effect on the rest of the LAN is too great....

Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good.  Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...

That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...
0
 
jskfanAuthor Commented:
so it sounds like they are using the one Firewall for both receiving DNS traffic from Internet and Natting the public IPs from the Public DNS to the Internal DNS.
0
 
Roachy1979Commented:
The public DNS and Internal DNS are 2 servers in there own right (which is how it should be).  The 2 don't need to be connected, and again I emphasis that they really shouldn't have a public DNS server sat on their LAN. If they just want to resolve the public FQDNs to machines on their LAN then split DNS would be a better way of doing it (creating a zone file on the private DNS server to resolve public addresses to local names).



0
 
Johneil1Commented:
Okay their internal DNS should be something like company.local or company .DNS, which like the gentleman said earlier segregates their internal DNS from their external DNS, .com, .org, .biz etc.......

When working with the domain name system (DNS) for Active Directory, there are several key components to be aware of regarding client configuration, server configuration and monitoring. Another aspect that should not be overlooked, however, involves DNS structure and design.

When designing the DNS structure, keep in mind certain principles and practices that will affect the overall name resolution performance in the network. DNS structures that are patched together or not well thought out will work, but they have pockets of failure that will affect AD performance. That is why adherence to best practices in the DNS structure is extremely important in creating an efficient and productive Active Directory.
0
 
Johneil1Commented:
please view this simple example and see if it helps a little.
0
 
jskfanAuthor Commented:
Regarding security...
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?
0
 
Roachy1979Commented:
Not quite....

You see, if the DNS server is compromised through a flaw or vulnerability, and it sits on the same network (LAN) as client machines, the vulnerability could be exploited to control/administer other machines on the LAN, as traffic is permitted between the DNS server and other machines on the LAN.

For all most known exploits that could carry this risk are patched, its an extra risk....there have been many exploits regarding Microsofts implementation of DNS in the past...an example would be http://www.microsoft.com/technet/security/advisory/935964.mspx

You need some form of separation between the DNS server that is handling public requests and the local area network.....without this you are exposing yourself to significant risk.

A DMZ is a good way of handling this, as if the DNS server is compromised and someone else has administrative control over it, it still cannot then be used to compromise other machines on your network.....worst case scenario is nowhere near as bad (potential cache poisoning, or use in some form of remote attack on a third party...)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now