JurajUQU
asked on
How to setup authoritative DNS server in AD and prevent abuse?
I currently have 2 AD/DNS servers that are also authoritative and as such need to be open to the internet. This, however exposes them to abuse and they are being misused.
What is the best way to put a stop to this?
I can't disable forarding as that would put a stop to internet use within the network.
What is the best way to put a stop to this?
I can't disable forarding as that would put a stop to internet use within the network.
Cliff Galiher
You *rarely* want your AD servers handling internet queries. Then most common way to handle this is to put DNS servers in a DMZ and set them up with secondary zones for the namespace that you need to be authoritative for. Those servers can have forwarding disabled so they won't be open DNS servers and will only handle queries doe the zones they have access to. This prevents abuse and adds a secure layer to your internal servers.
ASKER
Can you explain how to do it or point me to an article or similar?
Nope. Too may factors involved for an easy walkthrough. I don't know your network topology, or why you've decided your internal servers mees to be authoritative (that alone is very unusual) or why you aren't just throwing your external DNS needs to a DNS hosted for dollars a month. I can only assume you have valid reasons. But it still would directly impact the details of the implementation.
In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.
In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.
ASKER
I know I can create secondary zone on the server, that shouldn't be a problem but that would mean I'd need to create it on another physical server.
So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?
Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?
Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
No, you'd not replace your internal servers, these would be ADDITIONAL servers.
And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like internal.company.com. And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.
And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like internal.company.com. And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.
ASKER
I believe I did say they'd be additional ones.
Ok, so it's for practical and security reasons. Fair enough.
Thanks.
Ok, so it's for practical and security reasons. Fair enough.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.