CProp
asked on
DNS Configuration Best Practice
Hello
I'm having an issue with external consultant that came in to assess our network and reported to management that we have important security risk with the way our DNS service is configured.
We are currently running Microsoft DNS on four Windows 2003 servers and we currently have our ISP's DNS servers and Google DNS (8.8.8.8) specified in our forwarder list.
I'm trying to research to see if we are really at ''risk'' with our current setup, were we do use a DNS server on DMZ.
We do not have Web servers at our site and our MX records are configured with https:/easyDNS.com.
I have heard different stories about forwarders and I'm trying t get a feel for what the best practice regarding forwarders is.
There are those that insist that is is a best practice to have DNS servers on your LAN for internal resolution and forward your external DNS request to a DNS server on your DMZ. This DNS server can point to your ISP, Google DNS or even root hints servers.
I guess, for a quick win I could put OpenDNS instead of my ISP, but not sure of best way moving forward.
Any help would be really appreciated.
CP
I'm having an issue with external consultant that came in to assess our network and reported to management that we have important security risk with the way our DNS service is configured.
We are currently running Microsoft DNS on four Windows 2003 servers and we currently have our ISP's DNS servers and Google DNS (8.8.8.8) specified in our forwarder list.
I'm trying to research to see if we are really at ''risk'' with our current setup, were we do use a DNS server on DMZ.
We do not have Web servers at our site and our MX records are configured with https:/easyDNS.com.
I have heard different stories about forwarders and I'm trying t get a feel for what the best practice regarding forwarders is.
There are those that insist that is is a best practice to have DNS servers on your LAN for internal resolution and forward your external DNS request to a DNS server on your DMZ. This DNS server can point to your ISP, Google DNS or even root hints servers.
I guess, for a quick win I could put OpenDNS instead of my ISP, but not sure of best way moving forward.
Any help would be really appreciated.
CP
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
motnahp00
Make sure your internal DNS servers are not accepting replication from your DNS servers within your perimeter network. Also make sure you are only accepting secure dynamic updates to avoid DNS poisoning.
ASKER
Interesting comments BelushiLomax. I really appreciate it.
Concerning the DNS entries in TCP/IP, would you have any issues with this setup:
I have a couple of servers (IIS + SQL) sitting on DMZ setup as a workgroup. They communicate with each other with their host files. However, DNS entries in TCP/IP settings are configured as 8.8.8.8 as preferred DNS server and 8.8.4.4 as Alternate.
Internal client accessing website (IIS) access it through public IP of website.
Thanks in advance for your help.
CP
Concerning the DNS entries in TCP/IP, would you have any issues with this setup:
I have a couple of servers (IIS + SQL) sitting on DMZ setup as a workgroup. They communicate with each other with their host files. However, DNS entries in TCP/IP settings are configured as 8.8.8.8 as preferred DNS server and 8.8.4.4 as Alternate.
Internal client accessing website (IIS) access it through public IP of website.
Thanks in advance for your help.
CP
DNS
The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.
29K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
