• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

DNS Best Practice for two domains

I have two active directory domains, DMZ.com and Domain.com. There is an outgoing trust from dmz.com to domain.com.

Both domains originally had two domain controllers (2003). I'm migrating to 2008 and have added two domain controllers (2008) to both domains. My question is on the configuration of Zone Transfers.

Each of the Domain Controllers in Domain.com is configured as a Name Server for all Forward Lookup Zones in Domain.com. Zone Transfers are allowed to each of the domain controllers in DMZ.com for the zones in Domain.com.

And vice versa: Each of the DCs in DMZ.com is configured as an NS for all zones in DMZ.com. Zone Transfers allowed to each DC in Domain.com for the Forward Lookup zones in DMZ.com

Questions:
1 - Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02 (and for the other DCs too, let's keep it simple)
2 - Vice versa: Should Zone Transfers be allowed for DMZ.com zones on DC01 to DC02
3 - Reverse Lookup Zones - How should this be configured between the two domains?

Discuss!
0
KThrace
Asked:
KThrace
  • 4
  • 2
2 Solutions
 
Neil RussellTechnical Development LeadCommented:
My simple answer would be that I would never consider having a domain in my DMZ.  What purpose does it serve? Can you give a very good reason to have a domain the DMZ?
0
 
KThraceAuthor Commented:
Yeah, I'm an IT Consultant and this was inherited - to remove it now would be an insane undertaking. :D

Although, to be honest, I'm not sure why it's a bad idea...
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I would also agree with Neilsr regarding the Domain in the DMZ (there is a security risk having this setup). However based on your question...
Should Zone Transfers be allowed for the domain.com zones on DMZDC01 to DMZDC02
You can setup Conditional Forwarders or Secondary Zones for this. This would be required if you require name resolution for your internal domain.

Will.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Neil RussellTechnical Development LeadCommented:
If you need name resolution for your internal domain then you are now going to need to punch holes FROM the DMZ into you internal networks. The assumption is that if your resolving from internal servers than traffic is going to go into those addresses.  Your DMZ is getting weaker and weaker with every step.
0
 
KThraceAuthor Commented:
Ok, security risk, got it. Best practice would be no domain in the DMZ. But if services in the DMZ require AD then a RODC with conditional forwarding to the internal domain would be better than DCs with Zone Transfers.

I should say that these are separate forests with a one way trust. Regardless, let's be hypothetical for a moment and say that security is not a concern, it isn't a DMZ just two separate forests with Zone Transfers from DC01 to DCDMZ01 and DCDMZ02 for a zone in the internal domain. Is it necessary to configure a zone transfer of this zone from DCDMZ01 to DCDMZ02 and vice versa?
0
 
Neil RussellTechnical Development LeadCommented:
No you dont need any zone transfers just the ability to forward requests so a conditional forwarder is all you need.
0
 
Neil RussellTechnical Development LeadCommented:
Far better would be to have NO Lookups between the two domains and just add static records into a zone on each domain for the other.  You should not expose more than you need to and if the DMZ just needs to know about a few machines then add a zone and add statics into it for those few machines and addesses.

At all times MINIMIZE your exposure.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now