How to setup authoritative DNS server in AD and prevent abuse?

JurajUQU
JurajUQU used Ask the Experts™
on
I currently have 2 AD/DNS servers that are also authoritative and as such need to be open to the internet. This, however exposes them to abuse and they are being misused.

What is the best way to put a stop to this?

I can't disable forarding as that would put a stop to internet use within the network.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
You *rarely* want your AD servers handling internet queries. Then most common  way to handle this is to put DNS servers in a DMZ and set them up with secondary zones for the namespace that you need to be authoritative for. Those servers can have forwarding disabled so they won't be open DNS servers and will only handle queries doe the zones they have access to. This prevents abuse and adds a secure layer to your internal servers.

Author

Commented:
Can you explain how to do it or point me to an article or similar?
Distinguished Expert 2018

Commented:
Nope. Too may factors involved for an easy walkthrough. I don't know your network topology, or why you've decided your internal servers mees to be authoritative (that alone is very unusual) or why you aren't just throwing your external DNS needs to a DNS hosted for dollars a month. I can only assume you have valid  reasons. But it still would directly impact the details of the implementation.

In short, if you have the prerequisite knowledge, what I already said would be enough to answer the question and get you going down the right path and build an architecture. And if you don't, a walkthrough/tutorial isn't sufficient and a paid consultant should be brought in.
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Author

Commented:
I know I can create secondary zone on the server, that shouldn't be a problem but that would mean I'd need to create it on another physical server.

So I have 2 DNS servers available to the outside world and with enabled forwarding. What I so far understand is that I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion. Those two will replace the 2 current ones which in turn be pulled inside DMZ and only accept DNS queries for the internal network. Do I undesrtand that correctly?

Btw why is it unusuall and better to use an external provider? I already have one so could migrate there easily...
Distinguished Expert 2018

Commented:
No, you'd not replace your internal servers, these would be ADDITIONAL servers.

And it is weird because AD zones are often not the same as public zones. You'd usually have your AD zone be something like company.local, or alternatively a subdomain of a public domain like internal.company.com. And since due domain names are unique, there is no reason for external authoritative control, and the external domain name can love on a hosted provider. No server to maintain or patch, better uptime AMD redundancy. And a better security footprint for your DCs.

Author

Commented:
I believe I did say they'd be additional ones.

Ok, so it's for practical and security reasons. Fair enough.

Thanks.
you got it right up to "I can create 2 new DNS servers that will have secondary zones and disabled forwarding/recursion."

then you're wrond about what goes in dmz : your current servers can stay accessible from the local LAN but should not be accessible from the WAN any more, and the new servers are the ones to be put in DMZ with the ability to access your DC using dns and DNS only and be accessed from the outside using DNS only as well.

using a secondary zone is not your only choice. a forward zone is easier to setup, works fine as well and does not require to allow replication mechanisms between your new servers and the existing ones so you only need to open udp port 53 which is MUCH better security wise. in that case, your new servers are actually reverse proxies.

it is also considered best practice to use different software for reverse proxies and servers and i consider dangerous to open an ms machine to the wan, whatever the service, so you may consider using a very simple dns forwarder such as dnsmasq (configure it using a single line) rather than another paid 2008 server

moving to an external provider is a matter of choice. it is more convenirent in such cases, but helps them kidnap your network when you want to move away from them. my recommendation is don't ever use the same provider for your dns and for your domain : the person that handles the record saying which servers are authoritary must no be the one that does the hosting. if you switch to an external service, you can set them as secondary servers and keep your management on your existing servers
Seth SimmonsSr. Systems Administrator

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial