Avatar of CProp
CProp
 asked on

DNS Configuration Best Practice

Hello
I'm having an issue with external consultant that came in to assess our network and reported to management that we have important security risk with the way our DNS service is configured.

We are currently running Microsoft DNS on four Windows 2003 servers and we currently have our ISP's DNS servers and Google DNS (8.8.8.8) specified in our forwarder list.

I'm trying to research to see if we are really at ''risk'' with our current setup, were we do use a DNS server on DMZ.
We do not have Web servers at our site and our MX records are configured with https:/easyDNS.com.

I have heard different stories about forwarders and I'm trying t get a feel for what the best practice regarding forwarders is.  

There are those that insist that is is a best practice to have DNS servers on your LAN for internal resolution and forward your external DNS request to a DNS server on your DMZ. This DNS server can point to your ISP, Google DNS or even root hints servers.

I guess, for a quick win I could put OpenDNS instead of my ISP, but not sure of best way moving forward.

Any  help would be really appreciated.

CP
DNS

Avatar of undefined
Last Comment
CProp

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
BelushiLomax

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
motnahp00

Make sure your internal DNS servers are not accepting replication from your DNS servers within your perimeter network. Also make sure you are only accepting secure dynamic updates to avoid DNS poisoning.
CProp

ASKER
Interesting comments BelushiLomax. I really appreciate it.

Concerning the DNS entries in TCP/IP, would you have any issues with this setup:
I have a couple of servers (IIS + SQL) sitting on DMZ setup as a workgroup. They communicate with each other with their host files. However, DNS entries in TCP/IP settings are configured as 8.8.8.8 as preferred DNS server and 8.8.4.4 as Alternate.
Internal client accessing website (IIS) access it through public IP of website.

Thanks in advance for your help.

CP
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes