DNS Configuration Best Practice

CProp
CProp used Ask the Experts™
on
Hello
I'm having an issue with external consultant that came in to assess our network and reported to management that we have important security risk with the way our DNS service is configured.

We are currently running Microsoft DNS on four Windows 2003 servers and we currently have our ISP's DNS servers and Google DNS (8.8.8.8) specified in our forwarder list.

I'm trying to research to see if we are really at ''risk'' with our current setup, were we do use a DNS server on DMZ.
We do not have Web servers at our site and our MX records are configured with https:/easyDNS.com.

I have heard different stories about forwarders and I'm trying t get a feel for what the best practice regarding forwarders is.  

There are those that insist that is is a best practice to have DNS servers on your LAN for internal resolution and forward your external DNS request to a DNS server on your DMZ. This DNS server can point to your ISP, Google DNS or even root hints servers.

I guess, for a quick win I could put OpenDNS instead of my ISP, but not sure of best way moving forward.

Any  help would be really appreciated.

CP
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can forward your dns "best practice" to your isp. In reality it isnt any better than google.
What you DONT want is your internal machines having public DNS entries in their TCP/IP settings (especially servers). Forwarders is ok, but lots of times they will tell you to limit it to your ISP's name servers. You'll usually get better ping times to 8.8.8.8, 8.8.4.4 etc but since they are "public" they arent as secure to analysts.
I disable root hints if at all possible. They are subject to change and may be on the other side of the world. Last-Ditch but not needed these days, imho.
I really like having another dns server (2 for redundancy) not on the domain as forwarders in between the domain and the world. Whether or not you put them in the DMZ is up to your specific needs. Have all your DNS servers point back to 2 who forward to intermediary, then to ISP/Google etc. (assuming you have more than 2 domain controllers/dns servers)
Make sure your internal DNS servers are not accepting replication from your DNS servers within your perimeter network. Also make sure you are only accepting secure dynamic updates to avoid DNS poisoning.

Author

Commented:
Interesting comments BelushiLomax. I really appreciate it.

Concerning the DNS entries in TCP/IP, would you have any issues with this setup:
I have a couple of servers (IIS + SQL) sitting on DMZ setup as a workgroup. They communicate with each other with their host files. However, DNS entries in TCP/IP settings are configured as 8.8.8.8 as preferred DNS server and 8.8.4.4 as Alternate.
Internal client accessing website (IIS) access it through public IP of website.

Thanks in advance for your help.

CP

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial