Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » DNS server (forwarder) in DMZ - Necessary
DNS server (forwarder) in DMZ - Necessary [message #366964] Wed, 13 January 2010 07:19 Go to next message
Thomas Moeller Nexoe  is currently offline Thomas Moeller Nexoe  Denmark
Messages: 12
Registered: January 2010
Junior Member
Hi.

I seem to remember something about best practice dns server placement
from the certification days, where we were told that an internal dns
server (DC for instance) should never be allowed to do name resolution
on the Internet and that the best design would be to place a dns server
in a DMZ and have the DC/internal dns server foreard quereries to that
DMZ dns server and have the DMZ dns server either resolve the dns
requests or forward to an Internet dns server.

Now I'm trying to catch up and are trying to find some information
regarding this, but I'm not able to find information from any source
explaining about this.
I find information about split dns - i.e. the same setup, but these
articles explain about split dns for scenarios where the public dns zone
is hosted by the company itself.

So my question here is. Will it still be considered a security
enhancement with this setup, even if you are not hosting the public dns
yourself, or will it be kind of overkill with an additional hop from the
DMZ dns server to for instance the ISPs dns server?
Or will it be sufficielt to have the dns server on the internal network
forward to a known dns server at the ISP?

Any links to information explaining the pros of this kind of setup and
comments on this will be highly appreciated!

Thanks!

--
Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #367023 is a reply to message #366964] Wed, 13 January 2010 08:33 Go to previous messageGo to next message
Danny Sanders  is currently offline Danny Sanders  United States
Messages: 169
Registered: July 2009
Senior Member
Personally I think it's overkill. I've worked in places with and without a
DMZ and forwarders were always to the ISP.


hth
DDS

"Thomas Moeller Nexoe" <thomas@winfrastructure.dk> wrote in message
news:%23J7SdtFlKHA.4872@TK2MSFTNGP05.phx.gbl...
> Hi.
>
> I seem to remember something about best practice dns server placement from
> the certification days, where we were told that an internal dns server (DC
> for instance) should never be allowed to do name resolution on the
> Internet and that the best design would be to place a dns server in a DMZ
> and have the DC/internal dns server foreard quereries to that DMZ dns
> server and have the DMZ dns server either resolve the dns requests or
> forward to an Internet dns server.
>
> Now I'm trying to catch up and are trying to find some information
> regarding this, but I'm not able to find information from any source
> explaining about this.
> I find information about split dns - i.e. the same setup, but these
> articles explain about split dns for scenarios where the public dns zone
> is hosted by the company itself.
>
> So my question here is. Will it still be considered a security enhancement
> with this setup, even if you are not hosting the public dns yourself, or
> will it be kind of overkill with an additional hop from the DMZ dns server
> to for instance the ISPs dns server?
> Or will it be sufficielt to have the dns server on the internal network
> forward to a known dns server at the ISP?
>
> Any links to information explaining the pros of this kind of setup and
> comments on this will be highly appreciated!
>
> Thanks!
>
> --
> Best regards,
>
> Thomas Moeller Nexoe
> --------------------------------------
> Website: http://www.winfrastructure.dk
> Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #367386 is a reply to message #366964] Wed, 13 January 2010 14:37 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
If I recall correctly that recommendation is still valid, however, this will
depend of your security needs and impact within your network, costs, etc...

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Thomas Moeller Nexoe" <thomas@winfrastructure.dk> wrote in message
news:#J7SdtFlKHA.4872@TK2MSFTNGP05.phx.gbl...
> Hi.
>
> I seem to remember something about best practice dns server placement from
> the certification days, where we were told that an internal dns server (DC
> for instance) should never be allowed to do name resolution on the
> Internet and that the best design would be to place a dns server in a DMZ
> and have the DC/internal dns server foreard quereries to that DMZ dns
> server and have the DMZ dns server either resolve the dns requests or
> forward to an Internet dns server.
>
> Now I'm trying to catch up and are trying to find some information
> regarding this, but I'm not able to find information from any source
> explaining about this.
> I find information about split dns - i.e. the same setup, but these
> articles explain about split dns for scenarios where the public dns zone
> is hosted by the company itself.
>
> So my question here is. Will it still be considered a security enhancement
> with this setup, even if you are not hosting the public dns yourself, or
> will it be kind of overkill with an additional hop from the DMZ dns server
> to for instance the ISPs dns server?
> Or will it be sufficielt to have the dns server on the internal network
> forward to a known dns server at the ISP?
>
> Any links to information explaining the pros of this kind of setup and
> comments on this will be highly appreciated!
>
> Thanks!
>
> --
> Best regards,
>
> Thomas Moeller Nexoe
> --------------------------------------
> Website: http://www.winfrastructure.dk
> Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #367427 is a reply to message #367023] Wed, 13 January 2010 15:01 Go to previous messageGo to next message
Thomas Moeller Nexoe  is currently offline Thomas Moeller Nexoe  Denmark
Messages: 12
Registered: January 2010
Junior Member
On 13-01-2010 16:33, Danny Sanders wrote:
> Personally I think it's overkill. I've worked in places with and without a
> DMZ and forwarders were always to the ISP.
>
>
> hth
> DDS

Hi Danny.

Thanks for replying!
Do you mean overkill in terms of the additional hop or overkill because
of the extra hardware needed?

My concern is whether to go for the additional dns server as I believe
the internal servers should be hidden from 'the cruel outside world'.
But I cannot seem to find any information about whether internal server
access towards the Internet is actually a security breach or not. I
guess the danger is not that big if the forwarder is a well known server
though. But in generel I don't think that servers should act as clients
and indeed not towards untrusted networks like the Internet...

Cheers!

--
Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #367428 is a reply to message #367386] Wed, 13 January 2010 15:05 Go to previous messageGo to next message
Thomas Moeller Nexoe  is currently offline Thomas Moeller Nexoe  Denmark
Messages: 12
Registered: January 2010
Junior Member
On 13-01-2010 22:37, Jorge Silva wrote:
> If I recall correctly that recommendation is still valid, however, this
> will depend of your security needs and impact within your network,
> costs, etc...
>

Hi Jorge.

Yeah, but is this still the case when we don't host our public dns?
As mentioned, I can find a lot of recommendations to split dns, but all
the articles explains about a split dns infrastructure where the AD dns
zone is split from the public dns. No recommendations to split dns for
only securing internal servers.

Cheers!

--
Best regards,

Thomas Moeller Nexoe
--------------------------------------
Website: http://www.winfrastructure.dk
Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #368122 is a reply to message #367428] Thu, 14 January 2010 09:47 Go to previous messageGo to next message
Danny Sanders  is currently offline Danny Sanders  United States
Messages: 169
Registered: July 2009
Senior Member
I think it's over kill from the stand point of building a DMZ just for a DNS
server. If yu already have a DMZ and an extra server, go ahead. I would not
build a DMZ and invest the money in a server if the network had no other
requirements for a DMZ.

hth
DDS
"Thomas Moeller Nexoe" <thomas@winfrastructure.dk> wrote in message
news:%23ePMJyJlKHA.5728@TK2MSFTNGP06.phx.gbl...
> On 13-01-2010 22:37, Jorge Silva wrote:
>> If I recall correctly that recommendation is still valid, however, this
>> will depend of your security needs and impact within your network,
>> costs, etc...
>>
>
> Hi Jorge.
>
> Yeah, but is this still the case when we don't host our public dns?
> As mentioned, I can find a lot of recommendations to split dns, but all
> the articles explains about a split dns infrastructure where the AD dns
> zone is split from the public dns. No recommendations to split dns for
> only securing internal servers.
>
> Cheers!
>
> --
> Best regards,
>
> Thomas Moeller Nexoe
> --------------------------------------
> Website: http://www.winfrastructure.dk
> Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #368791 is a reply to message #367428] Fri, 15 January 2010 04:21 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
My opinion is a little bit different from Danny. Personally, I think that
nowadays building a dedicated server for internet doesn't cost too much
money (for example using virtualization), and from security perspective you
should be much more comfortable than having your internal DNS/DCs doing
that job.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Thomas Moeller Nexoe" <thomas@winfrastructure.dk> wrote in message
news:#ePMJyJlKHA.5728@TK2MSFTNGP06.phx.gbl...
> On 13-01-2010 22:37, Jorge Silva wrote:
>> If I recall correctly that recommendation is still valid, however, this
>> will depend of your security needs and impact within your network,
>> costs, etc...
>>
>
> Hi Jorge.
>
> Yeah, but is this still the case when we don't host our public dns?
> As mentioned, I can find a lot of recommendations to split dns, but all
> the articles explains about a split dns infrastructure where the AD dns
> zone is split from the public dns. No recommendations to split dns for
> only securing internal servers.
>
> Cheers!
>
> --
> Best regards,
>
> Thomas Moeller Nexoe
> --------------------------------------
> Website: http://www.winfrastructure.dk
> Blog: http://www.winfrastructure.net
Re: DNS server (forwarder) in DMZ - Necessary [message #372076 is a reply to message #366964] Sat, 16 January 2010 14:38 Go to previous message
Jonathan de Boyne Pol  is currently offline Jonathan de Boyne Pol  United Kingdom
Messages: 232
Registered: January 2010
Senior Member
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<blockquote cite="mid:%23J7SdtFlKHA.4872@TK2MSFTNGP05.phx.gbl"
type="cite">
<p>Now I'm trying to catch up and are trying to find some information
regarding this, but I'm not able to find information from any source
explaining about this.
</p>
</blockquote>
<p>That's probably because it's not as widely recommended as you
thought it to be.&nbsp; In part, it's based upon a misunderstanding of how
DNS works, exemplified by what you wrote in a later post:</p>
<blockquote cite="mid:O7sJCwJlKHA.1652@TK2MSFTNGP05.phx.gbl" type="cite">
<p>But in generel I don't think that servers should act as clients
and indeed not towards untrusted networks like the Internet... </p>
</blockquote>
<p>The provision of DNS services <em>involves</em> DNS servers acting
as clients. It's a fundamental part of the DNS.&nbsp; The DNS client library
in your applications queries a <a
href=" http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/dn s-server-roles.html#Proxy">proxy
DNS server</a>, which in turn communicates via back-end queries, where
it <em>acts as a client</em>, with <a
href=" http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/dn s-server-roles.html#Content">content
DNS servers</a> on Internet at large.&nbsp; It does this as part of <a
href=" http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/dn s-query-resolution.html">query
resolution</a>, putting together all of the various portions of the
overall DNS database published by the separate content DNS servers, and
forming an actual answer to be returned to the original client who sent
the front-end query.<br>
</p>
<blockquote cite="mid:%23J7SdtFlKHA.4872@TK2MSFTNGP05.phx.gbl"
type="cite">
<p>So my question here is. Will it still be considered a security
enhancement with this setup, even if you are not hosting the public dns
yourself, or will it be kind of overkill with an additional hop from
the DMZ dns server to for instance the ISPs dns server?</p>
</blockquote>
<p>Here's your misunderstanding in action.&nbsp; In the usual case, there <em>is
no</em> hop from the resolving proxy DNS server to your ISP's server.&nbsp;
The resolving proxy DNS server talks directly to content DNS servers
located on the rest of Internet at large.&nbsp; Having a forwarding proxy
DNS server is not really the usual case.<br>
</p>
<p>There are various reasons for having a forwarding proxy DNS server
(and various reasons for not having one).&nbsp; In the circumstances that
you describe here, many of them relate to <a
href=" http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/dn s-shaped-firewall-holes.html">the
size and shape of hole that one knocks into one's firewall</a> for DNS.&nbsp;
A bigger hole is required for a resolving proxy DNS server than for a
forwarding proxy DNS server.&nbsp; But this particular decision criterion
does not apply to the proxy DNS server that is <em>outside of one's
firewall</em>, only to the proxy DNS servers that are inside one's
firewall.&nbsp; Usually there's no such reason for having a proxy DNS server
outside of one's firewall be a forwarding proxy, and the other reasons
for having a forwarding proxy in that location are outweighed by the
reasons for having a <em>resolving</em> proxy there.&nbsp; <br>
</p>
</body>
</html>
Previous Topic:Static TCP Port
Next Topic:Deploy password change ? How to encrypt VBS ? or any other method ?
Goto Forum:
  


Current Time: Thu Jan 18 20:52:41 MST 2018

Total time taken to generate the page: 0.05161 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software