Solved

the concept of DMZ

Posted on 2009-05-14
15
1,099 Views
Last Modified: 2012-06-21
In one company environment They have 2 DNS servers in the network. One of them holds records with public IP addresses and the other DNs holds records with private IP addresses.
they use one firewall facing Internet and it also does the translation One Record-To- One Record  between the DNS that holds the Records with public IPs and the DNS that holds records with private IPs.

I would like to know if this is called DMZ? or the DMZ is if they had the DNS with public IPs sitting between 2 firewalls? What is the difference?

thanks

0
Comment
Question by:jskfan
  • 7
  • 6
  • 2
15 Comments
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
The purpose of a DMZ is to segregate traffic between public facing services and private services....effectively so that no machines on the LAN have any services visible to the public internet.  This is conventionally achieved by having 2 firewalls....or by having a firewall with an interface assigned to the DMZ to facilitate filtering of traffic between the DMZ, public interface and the LAN.

It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....

See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

and

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm
0
 

Author Comment

by:jskfan
Comment Utility
<<It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....>>>
 why it's less secure since the translation One to One Record is done through Firewall?

can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Thanks
0
 

Author Comment

by:jskfan
Comment Utility
any updates??
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
The DMZ effectively stops permitted traffic..... I'll try to draw this out for you.

INTERNET>>>>>>><<<<<<<<DMZ<<<<<<<<<LAN

As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...)  LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....

As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm

Hope this helps



0
 

Author Comment

by:jskfan
Comment Utility
I downloaded it and start Nessus client, Now when I add an IP address of a host or a subnet to scan
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"

I looked inservices and didn't see at all the Nessus server service .
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
I thkink you replied to the wrong thread...but I'll jump over to that one too, to see if I can help!

0
 

Author Comment

by:jskfan
Comment Utility
sorry , I did.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:jskfan
Comment Utility
I meant for this case of scenario where they have Public DNS inside the LAN not in The DMZ, how do they configure their Firewall to work with Public DNS?
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of  XYZ.com  204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com  10.10.10.10




0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
Yes....that's the right way to configure it in Windows - separate servers for public and private.  To be honest I avoid hosting my own public DNS.....it's yet another hole in the firewall that I don't particularly want....and both windows and BIND have had there share of vulnerabilities in the past.  The risk of a DNS server being compromised and that having a knock on effect on the rest of the LAN is too great....

Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good.  Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...

That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...
0
 

Author Comment

by:jskfan
Comment Utility
so it sounds like they are using the one Firewall for both receiving DNS traffic from Internet and Natting the public IPs from the Public DNS to the Internal DNS.
0
 
LVL 14

Expert Comment

by:Roachy1979
Comment Utility
The public DNS and Internal DNS are 2 servers in there own right (which is how it should be).  The 2 don't need to be connected, and again I emphasis that they really shouldn't have a public DNS server sat on their LAN. If they just want to resolve the public FQDNs to machines on their LAN then split DNS would be a better way of doing it (creating a zone file on the private DNS server to resolve public addresses to local names).



0
 
LVL 3

Assisted Solution

by:Johneil1
Johneil1 earned 100 total points
Comment Utility
Okay their internal DNS should be something like company.local or company .DNS, which like the gentleman said earlier segregates their internal DNS from their external DNS, .com, .org, .biz etc.......

When working with the domain name system (DNS) for Active Directory, there are several key components to be aware of regarding client configuration, server configuration and monitoring. Another aspect that should not be overlooked, however, involves DNS structure and design.

When designing the DNS structure, keep in mind certain principles and practices that will affect the overall name resolution performance in the network. DNS structures that are patched together or not well thought out will work, but they have pockets of failure that will affect AD performance. That is why adherence to best practices in the DNS structure is extremely important in creating an efficient and productive Active Directory.
0
 
LVL 3

Expert Comment

by:Johneil1
Comment Utility
please view this simple example and see if it helps a little.
0
 

Author Comment

by:jskfan
Comment Utility
Regarding security...
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?
0
 
LVL 14

Accepted Solution

by:
Roachy1979 earned 400 total points
Comment Utility
Not quite....

You see, if the DNS server is compromised through a flaw or vulnerability, and it sits on the same network (LAN) as client machines, the vulnerability could be exploited to control/administer other machines on the LAN, as traffic is permitted between the DNS server and other machines on the LAN.

For all most known exploits that could carry this risk are patched, its an extra risk....there have been many exploits regarding Microsofts implementation of DNS in the past...an example would be http://www.microsoft.com/technet/security/advisory/935964.mspx

You need some form of separation between the DNS server that is handling public requests and the local area network.....without this you are exposing yourself to significant risk.

A DMZ is a good way of handling this, as if the DNS server is compromised and someone else has administrative control over it, it still cannot then be used to compromise other machines on your network.....worst case scenario is nowhere near as bad (potential cache poisoning, or use in some form of remote attack on a third party...)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now