Solved

using dns in dmz for queries.  Good Idea?

Posted on 2014-07-22
2
450 Views
Last Modified: 2014-07-29
Just wanted some general ideas about preventing AD servers from DNS lookups (just forwarding) and instead use a DNS server in the DMZ (probably Linux) doing the actual lookups.  Our security guy wants to do this and was wondering what the implications are.

Has anyone had any good or bad experiences with this kind of setup?  

I assume it's not that common any more?
0
Comment
Question by:billFmurray
2 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Well, many things in AD *need* DNS to work right, so getting such a setup would still require the DMZ DNS server to talk to the AD DNS server, virtually eliminating any security benefit. I'm not sure I understand the purpose.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
Comment Utility
Just wanted some general ideas about preventing AD servers from DNS lookups (just forwarding) and instead use a DNS server in the DMZ (probably Linux) doing the actual lookups.
Are you referring to external lookups (i.e., resolution of internet names)? DNS is used extensively for internal lookups by everything in the domain, so you wouldn't want to restrict that, but yes, you can restrict external lookups if you'd like. Your domain controllers can be configured to use the DMZ server as their only forwarder, and that server can then do the dirty work. You can then configure the firewall so that only DNS queries from your DCs are allowed to pass from the LAN to the DMZ, and only DNS queries from the DMZ server are allowed to pass through to the internet.

One disadvantage that I can see is that there's a single point of failure anytime you use only one forwarder: if your DMZ DNS server goes down, nobody in the domain will be able to get to the internet until it comes back up or you do a bit of reconfiguration.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now