DMZ DNS server
I have never set up a DMZ before and was wondering if someone could provide me with some guidance and links with regards to the procedures for configuring a DNS server within the DMZ. Futhermore, does the DNS server need to be placed on a separate box or can it be placed on the same one as the web server in order to reduce the amount of hardware needed?
ASKER
Its purpose is mainly for our use to remote into our network along with allowing our development folks an area to test before placing it on to the Coast Guard servers. It will not be tasked to do much more beyond that except for users opening tickets on the RT server which we plan to put in the DMZ as well. I have the hardware available to be able to put it on it's own separate box but I wanted to find out if it was a security issue like I thought it might be, and from what you say, I see that it is. I guess the main thing I'm really looking for are some best practices, or links to them, which give details about the setup and configuration.
Exposing anything to the public is a risk, a DMZ is one mechanism of managing that risk. It's quite a limited risk though, and if you need to run a public DNS server its a necessary one.
Mind you, from your description, will you even need to allow the public into it? Or is it purely for internal development?
The most common best practices for running public DNS servers are:
1. Disable Recursion. If a DNS server exists to server public zones it should refuse requests to resolve non-authoritative names via recursion or forwarders
2. Only ever advertise Name Server / SOA records which are listed at the parent (registrar) and publicly accessible.
And really... that's about it.
Chris
ASKER
Thanks for the information, I have one last question with regards to recursion. I found the ability to block it on both the forwarders and advanced tabs with the later also having the ability to block forwarders. Which would you recommnend activiating, and why? The reason I ask is that they want to use the DNS server in the DMZ to forward requests out to the internet form the internal DNS servers to also allow the internal machinnes access to the DMZ. I was thinking of continuing the current procedure of forwarding requests from the internal servers and then adding a conditional forwarder to allow access to the DMZ but I'm not sure and any help would be greatly appreciated. Thyanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks that was the way I saw it too. Now I just need to get them to see it.
Good luck!
Chris
What's the DNS server to do? Host a public zone?
Which operating system / which DNS service?
If they're both on the same system you'd have to account for the additional load (memory usage, network usage, etc). And there is an implied risk associated with loading the service onto the same box as the web server. It increases the area which can be attacked, however risk should always be carefully weighed against the cost.
How many clients do you think you're likely to service? For a few thousand a month, it's not really much of a risk and DNS won't be heavily loaded. A few million (or more) a month and it would perhaps be worth rethinking that.
Chris