DMZ dns best practice

Hello, I'm looking for advice on best practice.

What is the ideal solution security solution

Current setup:

Internal DNS/DC servers currently forwarding all requests to an ISA DNS server within DMZ which then forwards request to our ISP DNS servers.

We are moving away from the ISA (and therefore no dmz dns server) to a dedicate Hardware proxy (Bluecoat). The only other server sitting in our DMZ is a smtp relay server. My questions are:

  1. Is it acceptable to forward all unresolved DNS request from our internal DNS/DC servers through to our ISP's DNS servers? Why/why not, what potential security issues could this raise.

  1. Is it acceptable to set client dns to our public dns servers (of course set appopriate TCP and UDP rules 53 on our firewall).

Let me know your thoughts

Reply to
Ben Rogers
Loading thread data ...

There is none. All solutions have tradeoffs - what is ideal/satisfactory for you may not be tolerable to others, and vice-versa.

There are three types of addresses: Internal use only, external use only, and both. Do your internal hosts need to be visible to the world?

You may find it desirable to have internal addresses resolvable to "real" names only from internal hosts. This is best done with an internal name server that is not serving names externally. If your internal hosts need access, but are not meant to be reachable (i.e., they're clients to the world, not servers), you _may_ find it useful to have an _external_ name server that returns "generic" names - such as returning (and so on). Your internal hosts should be able to resolve external names via the internal name server, and having that server either do recursive resolution on it's own, or forward such requests to the ISP.

Your external name servers (those required to exist by your domain registration) should be located at two sites externally, and should be configured to resolve your domain's "public" addresses (mail server, web server, DNS, what-ever is needed to be externally visible). If your ISP has delegated the zone (IP to name) to you, those name servers should resolve the zone (including very specifically the mail server IPs). Internal names should not be resolvable externally, and if you are delegated the zone for the internal IP range, you may want to resolve these addresses to generic names (or not - depending on your security and connection needs).

Probably - but that depends on your perceived threat model.

That depends on your perceived threat model.

Old guy

Reply to
Moe Trin Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.