jskfan
asked on
the concept of DMZ
In one company environment They have 2 DNS servers in the network. One of them holds records with public IP addresses and the other DNs holds records with private IP addresses.
they use one firewall facing Internet and it also does the translation One Record-To- One Record between the DNS that holds the Records with public IPs and the DNS that holds records with private IPs.
I would like to know if this is called DMZ? or the DMZ is if they had the DNS with public IPs sitting between 2 firewalls? What is the difference?
thanks
they use one firewall facing Internet and it also does the translation One Record-To- One Record between the DNS that holds the Records with public IPs and the DNS that holds records with private IPs.
I would like to know if this is called DMZ? or the DMZ is if they had the DNS with public IPs sitting between 2 firewalls? What is the difference?
thanks
ASKER
<<It sounds like what you have there is a DNS server on the LAN that handles public DNS requests. If this is the case, this is almost certainly considered less secure than a DMZ configuration....>>>
why it's less secure since the translation One to One Record is done through Firewall?
can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?
Thanks
why it's less secure since the translation One to One Record is done through Firewall?
can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?
Thanks
ASKER
any updates??
The DMZ effectively stops permitted traffic..... I'll try to draw this out for you.
INTERNET>>>>>>><<<<<<<<DMZ <<<<<<<<<L AN
As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...) LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....
As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?
Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm
Hope this helps
INTERNET>>>>>>><<<<<<<<DMZ
As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...) LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....
As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?
Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm
Hope this helps
ASKER
I downloaded it and start Nessus client, Now when I add an IP address of a host or a subnet to scan
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"
I looked inservices and didn't see at all the Nessus server service .
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"
I looked inservices and didn't see at all the Nessus server service .
I thkink you replied to the wrong thread...but I'll jump over to that one too, to see if I can help!
ASKER
sorry , I did.
ASKER
I meant for this case of scenario where they have Public DNS inside the LAN not in The DMZ, how do they configure their Firewall to work with Public DNS?
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of XYZ.com 204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com 10.10.10.10
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of XYZ.com 204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com 10.10.10.10
Yes....that's the right way to configure it in Windows - separate servers for public and private. To be honest I avoid hosting my own public DNS.....it's yet another hole in the firewall that I don't particularly want....and both windows and BIND have had there share of vulnerabilities in the past. The risk of a DNS server being compromised and that having a knock on effect on the rest of the LAN is too great....
Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good. Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...
That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...
Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good. Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...
That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...
ASKER
so it sounds like they are using the one Firewall for both receiving DNS traffic from Internet and Natting the public IPs from the Public DNS to the Internal DNS.
The public DNS and Internal DNS are 2 servers in there own right (which is how it should be). The 2 don't need to be connected, and again I emphasis that they really shouldn't have a public DNS server sat on their LAN. If they just want to resolve the public FQDNs to machines on their LAN then split DNS would be a better way of doing it (creating a zone file on the private DNS server to resolve public addresses to local names).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
please view this simple example and see if it helps a little.
ASKER
Regarding security...
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It sounds like what you have there is a DNS server on the LAN that handles public DNS requests. If this is the case, this is almost certainly considered less secure than a DMZ configuration....
See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
and
http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm