We help IT Professionals succeed at work.

How to setup authoritative DNS server in AD and prevent abuse?

77 Views
Last Modified: 2015-06-26
I currently have 2 AD/DNS servers that are also authoritative and as such need to be open to the internet. This, however exposes them to abuse and they are being misused.

What is the best way to put a stop to this?

I can't disable forarding as that would put a stop to internet use within the network.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You *rarely* want your AD servers handling internet queries. Then most common  way to handle this is to put DNS servers in a DMZ and set them up with secondary zones for the namespace that you need to be authoritative for. Those servers can have forwarding disabled so they won't be open DNS servers and will only handle queries doe the zones they have access to. This prevents abuse and adds a secure layer to your internal servers.

Author

Commented:
Can you explain how to do it or point me to an article or similar?
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Nope. Too may factors involved for an easy walkthrough. I don't know your network topology, or why you've decided your internal servers mees to be authoritative (that alone is very unusual) or why you aren't just throwing your external DNS needs to a DNS hosted for dollars a month. I can only assume you have valid  reasons. But it still would directly impact the details of the implementation.

In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.

Author

Commented:
I know I can create secondary zone on the server, that shouldn't be a problem but that would mean I'd need to create it on another physical server.

So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?

Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
No, you'd not replace your internal servers, these would be ADDITIONAL servers.

And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like internal.company.com. And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.

Author

Commented:
I believe I did say they'd be additional ones.

Ok, so it's for practical and security reasons. Fair enough.

Thanks.
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Seth SimmonsLead Systems Administrator
CERTIFIED EXPERT

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.