I'm having an issue with external consultant that came in to assess our network and reported to management that we have important security risk with the way our DNS service is configured.
We are currently running Microsoft DNS on four Windows 2003 servers and we currently have our ISP's DNS servers and Google DNS (220.127.116.11) specified in our forwarder list.
I'm trying to research to see if we are really at ''risk'' with our current setup, were we do use a DNS server on DMZ.
We do not have Web servers at our site and our MX records are configured with https:/easyDNS.com
I have heard different stories about forwarders and I'm trying t get a feel for what the best practice regarding forwarders is.
There are those that insist that is is a best practice to have DNS servers on your LAN for internal resolution and forward your external DNS request to a DNS server on your DMZ. This DNS server can point to your ISP, Google DNS or even root hints servers.
I guess, for a quick win I could put OpenDNS instead of my ISP, but not sure of best way moving forward.
Any help would be really appreciated.