the concept of DMZ

The purpose of a DMZ is to segregate traffic between public facing services and private services....effectively so that no machines on the LAN have any services visible to the public internet.  This is conventionally achieved by having 2 firewalls....or by having a firewall with an interface assigned to the DMZ to facilitate filtering of traffic between the DMZ, public interface and the LAN.

It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....

See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

and

http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htm

<<It sounds like what you have there is a DNS server on the LAN that handles public DNS requests.  If this is the case, this is almost certainly considered less secure than a DMZ configuration....>>>
 why it's less secure since the translation One to One Record is done through Firewall?

can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Thanks

any updates??

The DMZ effectively stops permitted traffic..... I'll try to draw this out for you.

INTERNET>>>>>>><<<<<<<<DMZ<<<<<<<<<LAN

As you can see - the DMZ allows traffic in and outbound...this allows your DNS servers to respond to queries, and it allows machines in your DMZ to access the internet (you might want to run a proxy in the DMZ for example...)  LAN traffic can only be established one way.....this means that if a vulnerability is exploited on your public DNS server, it won't compromise your whole LAN....machines on your LAN can initiate conversation with DMZ machines, but the DMZ can't talk to the LAN machines....

As for part 2 of the question...
>can you also explain how the process takes route starting from the Request initiated by an internet user all the way to the response he/she receives?

Are you referring to DNS again here....if so, have a look at http://computer.howstuffworks.com/dns3.htm and onwards....theres a pretty good flow chart on the MS site to help you visualise it...http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_und_HowDnsWorks.htm

Hope this helps

I downloaded it and start Nessus client, Now when I add an IP address of a host or a subnet to scan
it starts and shows the "Logging into the remote scanner"
then it a message pops up saying: "it was not possible to connect to the remote host.make usre the host IP and port are correct and that the Nessus server service is running"

I looked inservices and didn't see at all the Nessus server service .

I thkink you replied to the wrong thread...but I'll jump over to that one too, to see if I can help!

sorry , I did.

I meant for this case of scenario where they have Public DNS inside the LAN not in The DMZ, how do they configure their Firewall to work with Public DNS?
One thing that I am sure of and might help you have an idea about the network is, the public DNS server has the same records as the Internal DNS server, for instance if you find in public DNS a record of  XYZ.com  204.204.204.204 you will find in the Internal DNS the same record with private IP address XYZ.com  10.10.10.10

Yes....that's the right way to configure it in Windows - separate servers for public and private.  To be honest I avoid hosting my own public DNS.....it's yet another hole in the firewall that I don't particularly want....and both windows and BIND have had there share of vulnerabilities in the past.  The risk of a DNS server being compromised and that having a knock on effect on the rest of the LAN is too great....

Recently I discovered editdns http://www.editdns.net/ who provide a hosted DNS service free of charge.....they seem to have good uptime and are pretty good.  Alternatively I'd recommend using your domain registrar who should allow you to make/modify your DNS records via a web based interface.....unless there is some real value in the public DNS server being sat on your LAN, I'd get it out of there and get it hosted off site, or at the very least, get it in a DMZ...

That said....if you absolutely must have the DNS server there, DNS requests come in on UDP port 53.....so that's the port you'll need to forward on your firewall...

so it sounds like they are using the one Firewall for both receiving DNS traffic from Internet and Natting the public IPs from the Public DNS to the Internal DNS.

The public DNS and Internal DNS are 2 servers in there own right (which is how it should be).  The 2 don't need to be connected, and again I emphasis that they really shouldn't have a public DNS server sat on their LAN. If they just want to resolve the public FQDNs to machines on their LAN then split DNS would be a better way of doing it (creating a zone file on the private DNS server to resolve public addresses to local names).

please view this simple example and see if it helps a little.

Regarding security...
The public DNS even though it's not between 2 physical firewalls, but it still receive public request through the firewall and does the Natting (public to private IP translation) through the same firewall.
I think it's the same as putting the public DNS between 2 firewalls.
Correct?