Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

the concept of DMZ

Posted on 2009-05-14
15
Medium Priority
?
1,156 Views
Last Modified: 2012-06-21
In one company environment They have 2 DNS servers in the network. One of them holds records with public IP addresses and the other DNs holds records with private IP addresses.
they use one firewall facing Internet and it also does the translation One Record-To- One Record  between the DNS that holds the Records with public IPs and the DNS that holds records with private IPs.

I would like to know if this is called DMZ? or the DMZ is if they had the DNS with public IPs sitting between 2 firewalls? What is the difference?

thanks

0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24386806
The purpose of a DMZ is to segregate traffic between public facing services and private services....effectively so that no machines on the LAN have any services visible to the public internet.  This is conventionally achieved by having 2 firewalls....or by having a firewall with an interface assigned to the DMZ to facilitate filtering of traffic between the DMZ, public interface and the LAN.

It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....

See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

and

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm
0
 

Author Comment

by:jskfan
ID: 24386976
<<It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....>>>
 why it's less secure since the translation One to One Record is done through Firewall?

can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Thanks
0
 

Author Comment

by:jskfan
ID: 24391769
any updates??
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 14

Expert Comment

by:Roachy1979
ID: 24393194
The DMZ effectively stops permitted traffic..... I'll try to draw this out for you.

INTERNET>>>>>>><<<<<<<<DMZ<<<<<<<<<LAN

As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...)  LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....

As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm

Hope this helps



0
 

Author Comment

by:jskfan
ID: 24394569
I downloaded it and start Nessus client, Now when I add an IP address of a host or a subnet to scan
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"

I looked inservices and didn't see at all the Nessus server service .
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24394813
I thkink you replied to the wrong thread...but I'll jump over to that one too, to see if I can help!

0
 

Author Comment

by:jskfan
ID: 24394852
sorry , I did.
0
 

Author Comment

by:jskfan
ID: 24394917
I meant for this case of scenario where they have Public DNS inside the LAN not in The DMZ, how do they configure their Firewall to work with Public DNS?
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of  XYZ.com  204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com  10.10.10.10




0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24395136
Yes....that's the right way to configure it in Windows - separate servers for public and private.  To be honest I avoid hosting my own public DNS.....it's yet another hole in the firewall that I don't particularly want....and both windows and BIND have had there share of vulnerabilities in the past.  The risk of a DNS server being compromised and that having a knock on effect on the rest of the LAN is too great....

Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good.  Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...

That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...
0
 

Author Comment

by:jskfan
ID: 24397061
so it sounds like they are using the one Firewall for both receiving DNS traffic from Internet and Natting the public IPs from the Public DNS to the Internal DNS.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 24397732
The public DNS and Internal DNS are 2 servers in there own right (which is how it should be).  The 2 don't need to be connected, and again I emphasis that they really shouldn't have a public DNS server sat on their LAN. If they just want to resolve the public FQDNs to machines on their LAN then split DNS would be a better way of doing it (creating a zone file on the private DNS server to resolve public addresses to local names).



0
 
LVL 3

Assisted Solution

by:Johneil1
Johneil1 earned 400 total points
ID: 24412571
Okay their internal DNS should be something like company.local or company .DNS, which like the gentleman said earlier segregates their internal DNS from their external DNS, .com, .org, .biz etc.......

When working with the domain name system (DNS) for Active Directory, there are several key components to be aware of regarding client configuration, server configuration and monitoring. Another aspect that should not be overlooked, however, involves DNS structure and design.

When designing the DNS structure, keep in mind certain principles and practices that will affect the overall name resolution performance in the network. DNS structures that are patched together or not well thought out will work, but they have pockets of failure that will affect AD performance. That is why adherence to best practices in the DNS structure is extremely important in creating an efficient and productive Active Directory.
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24412817
please view this simple example and see if it helps a little.
0
 

Author Comment

by:jskfan
ID: 24472334
Regarding security...
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?
0
 
LVL 14

Accepted Solution

by:
Roachy1979 earned 1600 total points
ID: 24472462
Not quite....

You see, if the DNS server is compromised through a flaw or vulnerability, and it sits on the same network (LAN) as client machines, the vulnerability could be exploited to control/administer other machines on the LAN, as traffic is permitted between the DNS server and other machines on the LAN.

For all most known exploits that could carry this risk are patched, its an extra risk....there have been many exploits regarding Microsofts implementation of DNS in the past...an example would be http://www.microsoft.com/technet/security/advisory/935964.mspx

You need some form of separation between the DNS server that is handling public requests and the local area network.....without this you are exposing yourself to significant risk.

A DMZ is a good way of handling this, as if the DNS server is compromised and someone else has administrative control over it, it still cannot then be used to compromise other machines on your network.....worst case scenario is nowhere near as bad (potential cache poisoning, or use in some form of remote attack on a third party...)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question