Eduardo Guerra
asked on
Implement a public - Private Domain within a DMZ
Hello buddies, I am implementing a Public - Private Domain over a network. In the past the structure was similar but i think i didn't implemented the DNS server OK (There was a DNS, web server and mail server were in the DMZ and in the same machine). I configured DMZ DNS to solve outdoor queries and indoor queries (Internal users) solve via internal DNS that points to DMZ server. Public IP and public domain was published on DMZ DNS server even on forward zone and reverse zone. I am not sure if it is correct or no I think it is not and now i have to add more servers and don't know how to configure the DNS correctly. Someone can help me (Please try help as a novice). Thanks in advance
ASKER
I mena the following;
Yes I have a domain like microsoft.com. Internal users should access email, www and FTP that in on DMZ. Internal users have Active Directory with .local. Outside users should access only to public resources like www and FTP. and also can send mails to internal users
Yes I have a domain like microsoft.com. Internal users should access email, www and FTP that in on DMZ. Internal users have Active Directory with .local. Outside users should access only to public resources like www and FTP. and also can send mails to internal users
Do you have separate AD domain for DMZ and internal Network are they all on one domain?
For internal users to access those resources in the DMZ you want them to go via the internal network and not out to the internet and come in via the public path?
For internal users to access those resources in the DMZ you want them to go via the internal network and not out to the internet and come in via the public path?
ASKER
Well, both are separated domains. My problem is not internal network, it works like we want. My problem is at DMZ
ok, so the DMZ is running in its own AD, and its using the public facing DNS zone?
If you need it to resolve internal DNS queries then a conditional forwarder for domain.internal which points at the internal DNS servers
All the DMZ servers points at the DMZ dns servers and they deal with the query as needed
If you need it to resolve internal DNS queries then a conditional forwarder for domain.internal which points at the internal DNS servers
All the DMZ servers points at the DMZ dns servers and they deal with the query as needed
ASKER
Please Help on DMZ DNS configuration. I am not sure where to place Public IP and where to place private IPs for servers. i mean Should i use Private DMZ IPs on forward zone or in reverse zone?. Think i am a novice on this
Are you hosting your own public DNS?
If so then i would expect specific and separate DNS servers responding to public queries from the internet
Do you have a firewall or something in front of those servers which presents the Public IP's and it NAT's (network address translation) to the a private IP?
I would expect a public range on the firewall
8.8.8.8 as the public address
The firewall directs any traffic coming into Server 1 in the DMZ
192.168.1.10 as Server1's IP address
That way the forward and the reverse lookup zone have the private DMZ ip addresses on it
If so then i would expect specific and separate DNS servers responding to public queries from the internet
Do you have a firewall or something in front of those servers which presents the Public IP's and it NAT's (network address translation) to the a private IP?
I would expect a public range on the firewall
8.8.8.8 as the public address
The firewall directs any traffic coming into Server 1 in the DMZ
192.168.1.10 as Server1's IP address
That way the forward and the reverse lookup zone have the private DMZ ip addresses on it
ASKER
I have a Cisco ASA 5510 as firewall, yes HTTP, HTTPS and SMTP traffic are directed from outside to DMZ. Off course, Firewall has a public IP and yes we host our own domain. DMZ Subnet is 172.16.x.x
So do you have public DNS records and private DNS records (DMZ internal range) in the same DNS Zone?
ideally you would have Public DNS servers which would host all the external records and then the Domain Controllers which would host the DNS zone with internal Records so you don't have it mixed up
ideally you would have Public DNS servers which would host all the external records and then the Domain Controllers which would host the DNS zone with internal Records so you don't have it mixed up
ASKER
Actually, the only server in the DMZ has Public IPs published (Remember, today the same server is the DNS server) and off course everything works. I don't know how to do when there will be more servers in the DMZ (And now i need to separate services). I need to put 1 server for DNS (I think it is correct), 1 server for antispam, 1 for mail and 1 for web and ftp. How to "redirect" queries to those servers that will be on the DMZ
ASKER
How and which records should i add and how many and which zones to add. That may real question
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
mmm, This is the full scenario:
A firewall has 3 interfaces (Outside, DMZ and Inside). Inside network has its own AD structure with its own DNS (domain extension is .local). DMZ has its own AD structure (Now just 1 server for everything) and has its own DNS server (The same Machine) and the domain extension is .external. On DMZ DNS Server (That machine too) is configured public domain (SOA, NS, A Records, etc) forward and reverse zones for public domain. Inside network queries are solved by inside DNS that redirects traffic to DMZ (I think i should no have any trouble if there are 1 or 50 servers from the inside view) Internal users should access corporate email server, website and FTP with no problem (On the inside DNS server is configured a forward and reverse zone for public domain that redirects to DMZ)
With one computer on DMZ, everything works fine, but now we have to add more servers because of security. Which zones and records should i configure if there will be more than 1 server to redirect correctly the traffic to the right server?,
Subnet segments are: 192.168.0.0 (Inside), 172.16.31.0 (DMZ) and x.x.x.x (Public IPs)
A firewall has 3 interfaces (Outside, DMZ and Inside). Inside network has its own AD structure with its own DNS (domain extension is .local). DMZ has its own AD structure (Now just 1 server for everything) and has its own DNS server (The same Machine) and the domain extension is .external. On DMZ DNS Server (That machine too) is configured public domain (SOA, NS, A Records, etc) forward and reverse zones for public domain. Inside network queries are solved by inside DNS that redirects traffic to DMZ (I think i should no have any trouble if there are 1 or 50 servers from the inside view) Internal users should access corporate email server, website and FTP with no problem (On the inside DNS server is configured a forward and reverse zone for public domain that redirects to DMZ)
With one computer on DMZ, everything works fine, but now we have to add more servers because of security. Which zones and records should i configure if there will be more than 1 server to redirect correctly the traffic to the right server?,
Subnet segments are: 192.168.0.0 (Inside), 172.16.31.0 (DMZ) and x.x.x.x (Public IPs)
ok so you have one forward look up zone which resolves the public domain name, another forward look up zone which resolves the .external donmain
The public zone should only have the records for anything publicly accessible i.e. mail.domain.com, webserver.domain.com
The .external zone would have server1.domain.exteranl and an A record for the 172.16.31.xxx address
you would then have at least 2 reverse lookup zones one covering 172.16.31.0 and then additional ones for whatever public ip ranges.
i would say you don't really need the forward zones on the internal server just conditional forwarders to point to the right place or if you want to use the same FQDN then pinpoint zones to resolve mail.domain.com to the 172.16.31.xxx address
The public zone should only have the records for anything publicly accessible i.e. mail.domain.com, webserver.domain.com
The .external zone would have server1.domain.exteranl and an A record for the 172.16.31.xxx address
you would then have at least 2 reverse lookup zones one covering 172.16.31.0 and then additional ones for whatever public ip ranges.
i would say you don't really need the forward zones on the internal server just conditional forwarders to point to the right place or if you want to use the same FQDN then pinpoint zones to resolve mail.domain.com to the 172.16.31.xxx address
ASKER
When you say "The public zone should only have the records for anything publicly accessible i.e. mail.domain.com, webserver.domain.com", I think you mean i have to add records with public IP Addresses right?
But how does the DMZ DNS know where to redirect for example web queries to the right server in the DMZ? (e.g.: I am a user in the US and want to access the website and type www.pepito.com. I assume that DNS will reply: Hello, we are pepito.com. But how does it know it must redirect that query to the web server?
Where in the DMZ dns i will tell webserver is 172.16.31.3 and mail server is 31.4 and ftp is ,5. where will be the link between public zone and external zone?
But how does the DMZ DNS know where to redirect for example web queries to the right server in the DMZ? (e.g.: I am a user in the US and want to access the website and type www.pepito.com. I assume that DNS will reply: Hello, we are pepito.com. But how does it know it must redirect that query to the web server?
Where in the DMZ dns i will tell webserver is 172.16.31.3 and mail server is 31.4 and ftp is ,5. where will be the link between public zone and external zone?
yes the public zone with public DNS
External Queries for www.pepito.com would hit your DNS server and the public zone and return the public IP address.
That would hit your firewall and then be forwarded on to the internal server address i.e. 172.16.31.3
the should be no need for the public zone and the external zone your internal servers shouldn't resolve to the external address as that would force the traffic out of the firewall and back in, which would fail.
External Queries for www.pepito.com would hit your DNS server and the public zone and return the public IP address.
That would hit your firewall and then be forwarded on to the internal server address i.e. 172.16.31.3
the should be no need for the public zone and the external zone your internal servers shouldn't resolve to the external address as that would force the traffic out of the firewall and back in, which would fail.
ASKER
Is there anyway to contact you via email?, i have some issues about this topic. There are some details i cannot post on a public site
suitable suggestion based on the provided information
do you mean a domain with a public name space i.e. microsoft.com and you have public and private resources that will use the domain for their FQDN i.e. internalwebserver.microsof