Solved

DMZ Name Resolution Best Practice

Posted on 2009-07-01
1
1,799 Views
Last Modified: 2012-05-07
Hello, my question is more of a design/best practice question, no real issue...

What is the best way to configure DNS/name resolution for servers in the DMZ for both internal name resolution as well as external resolution.

I'll start with Internal:  If you have an application that needs access to a specific service behind the firewall, say for example a DB server.  It obviously isn't best practice to use/hard code an IP address for the DB server in the configuration of the application needing access to the DB server so you are stuck with DNS name.  Somehow we need to resolve the DNS name to an IP.  Is it better to use the hosts file or use some type of DNS server?  If DNS is the best method is it better to have a DNS server in the DMZ that houses a zone copy of internal records or is it better to pinhole the firewall and give access to an internal DNS server?

External:
Use a DNS server in the DMZ that will perform recursive lookups or use an all together external server to perform the recursive lookups?

Any help would be greatly appreciated....

Blake
0
Comment
Question by:isoperations
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 24756390
Well let's start with the purpose of the DMZ.

We put those servers there to segreggate them from the network.  In the event they are comprimised, they do not have full access to the network.  As far as a router/firewall is concerned, it's a seperate network entity.

That being said.... we might not want the dmz servers to be able to resolve all the internal hosts...just the ones they need to function and communicate with directly.

You could give the server access to your internal dns servers through firewall rules....but some might construe that as a  weakening the restrictive purpose of the dmz.

In most cases, people need some traffic types to be able to traverse the dmz, (often times SQL)...but the best practice is to only do it when there is no other solution.

The idea of having another dns server, zone copy, is basically the same thing...unless you manage exactly what records are in the zone.

In short...if there are only a few hosts it needs to contact directly, then I would use a host file, or don't use hostname mappings but rather IP address for everything.  It's usually the pinhole that gets exploited first....so avoid it if you can.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question