[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to setup authoritative DNS server in AD and prevent abuse?

Posted on 2014-08-07
10
Medium Priority
?
47 Views
Last Modified: 2015-06-26
I currently have 2 AD/DNS servers that are also authoritative and as such need to be open to the internet. This, however exposes them to abuse and they are being misused.

What is the best way to put a stop to this?

I can't disable forarding as that would put a stop to internet use within the network.
0
Comment
Question by:JurajUQU
9 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40247848
You *rarely* want your AD servers handling internet queries. Then most common  way to handle this is to put DNS servers in a DMZ and set them up with secondary zones for the namespace that you need to be authoritative for. Those servers can have forwarding disabled so they won't be open DNS servers and will only handle queries doe the zones they have access to. This prevents abuse and adds a secure layer to your internal servers.
0
 
LVL 5

Author Comment

by:JurajUQU
ID: 40247862
Can you explain how to do it or point me to an article or similar?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40247877
Nope. Too may factors involved for an easy walkthrough. I don't know your network topology, or why you've decided your internal servers mees to be authoritative (that alone is very unusual) or why you aren't just throwing your external DNS needs to a DNS hosted for dollars a month. I can only assume you have valid  reasons. But it still would directly impact the details of the implementation.

In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 5

Author Comment

by:JurajUQU
ID: 40247882
I know I can create secondary zone on the server, that shouldn't be a problem but that would mean I'd need to create it on another physical server.

So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?

Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40247885
No, you'd not replace your internal servers, these would be ADDITIONAL servers.

And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like internal.company.com. And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.
0
 
LVL 5

Author Comment

by:JurajUQU
ID: 40247893
I believe I did say they'd be additional ones.

Ok, so it's for practical and security reasons. Fair enough.

Thanks.
0
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40247910
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 40248033
you got it right up to "I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion."

then you're wrond about what goes in dmz : your current servers can stay accessible from the local LAN but should not be accessible from the WAN any more, and the new servers are the ones to be put in DMZ with the ability to access your DC using dns and DNS only and be accessed from the outside using DNS only as well.

using a secondary zone is not your only choice. a forward zone is easier to setup, works fine as well and does not require to allow replication mechanisms between your new servers and the existing ones so you only need to open udp port 53 which is MUCH better security wise. in that case, your new servers are actually reverse proxies.

it is also considered best practice to use different software for reverse proxies and servers and i consider dangerous to open an ms machine to the wan, whatever the service, so you may consider using a very simple dns forwarder such as dnsmasq (configure it using a single line) rather than another paid 2008 server

moving to an external provider is a matter of choice. it is more convenirent in such cases, but helps them kidnap your network when you want to move away from them. my recommendation is don't ever use the same provider for your dns and for your domain : the person that handles the record saying which servers are authoritary must no be the one that does the hosting. if you switch to an external service, you can set them as secondary servers and keep your management on your existing servers
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40852568
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question