DMZ DNS server

1trod
1trod used Ask the Experts™
on
I have never set up a DMZ before and was wondering if someone could provide me with some guidance and links with regards to the procedures for configuring a DNS server within the DMZ.  Futhermore, does the DNS server need to be placed on a separate box or can it be placed on the same one as the web server in order to reduce the amount of hardware needed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:

What's the DNS server to do? Host a public zone?

Which operating system / which DNS service?

If they're both on the same system you'd have to account for the additional load (memory usage, network usage, etc). And there is an implied risk associated with loading the service onto the same box as the web server. It increases the area which can be attacked, however risk should always be carefully weighed against the cost.

How many clients do you think you're likely to service? For a few thousand a month, it's not really much of a risk and DNS won't be heavily loaded. A few million (or more) a month and it would perhaps be worth rethinking that.

Chris

Author

Commented:
Its purpose is mainly for our use to remote into our network along with allowing our development folks an area to test before placing it on to the Coast Guard servers.  It will not be tasked to do much more beyond that except for users opening tickets on the RT server which we plan to put in the DMZ as well.  I have the hardware available to be able to put it on it's own separate box but I wanted to find out if it was a security issue like I thought it might be, and from what you say, I see that it is.  I guess the main thing I'm really looking for are some best practices, or links to them, which give details about the setup and configuration.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Exposing anything to the public is a risk, a DMZ is one mechanism of managing that risk. It's quite a limited risk though, and if you need to run a public DNS server its a necessary one.

Mind you, from your description, will you even need to allow the public into it? Or is it purely for internal development?

The most common best practices for running public DNS servers are:

1. Disable Recursion. If a DNS server exists to server public zones it should refuse requests to resolve non-authoritative names via recursion or forwarders
2. Only ever advertise Name Server / SOA records which are listed at the parent (registrar) and publicly accessible.

And really... that's about it.

Chris
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Author

Commented:
Thanks for the information, I have one last question with regards to recursion.  I found the ability to block it on both the forwarders and advanced tabs with the later also having the ability to block forwarders.  Which would you recommnend activiating, and why?  The reason I ask is that they want to use the DNS server in the DMZ to forward requests out to the internet form the internal DNS servers to also allow the internal machinnes access to the DMZ.  I was thinking of continuing the current procedure of forwarding requests from the internal servers and then adding a conditional forwarder to allow access to the DMZ but I'm not sure and any help would be greatly appreciated.  Thyanks.
PowerShell Developer
Top Expert 2010
Commented:

>  Which would you recommnend activiating, and why?

For a public server hosting public zones I would disable recursion entirely under Properties / Advanced / Disable Recursion.

Public DNS servers should only answer requests for the domains they are authoritative unless you are actively providing a resolver as a service.

Allowing recursion opens up your server to abuse (even if that is unlikely), generally an unnecessary risk.

If forwarders for DNS servers on the internal network are desirable I would use an ISPs servers. Conditional forwarders will deal with passing requests into the DMZ if required.

Chris

Author

Commented:
Thanks that was the way I saw it too.  Now I just need to get them to see it.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Good luck!

Chris

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial