PHWinfo - Afficher un message

21/07/2006, 16h57

Hello, I'm looking for advice on best practice regarding internal vs
DMZ DNS - please see below -

Our Current setup:

Internal DNS/DC servers currently forwarding all requests to an ISA DNS

server within DMZ which then forward requests to our ISP DNS servers.

We are moving away from the ISA (and therefore no dmz dns server) to a
dedicate Hardware proxy (Bluecoat). The only other server sitting in
our DMZ is a smtp relay and InterScan Web Security Suite server. My
questions are:

1. Is it acceptable to forward all unresolved DNS request from our
internal DNS/DC servers through to our ISP's DNS servers? Why/why not,
what potential security issues could this raise. Or it would it be
advisable to setup a new dmz dns server with no knowledge of internal
zones and only for forwarding requests?

2. Is it acceptable to set client dns to our public dns servers (of
course set appopriate TCP and UDP rules 53 on our firewall).

Let me know your thoughts

21/07/2006, 16h57	#1
exchange Messages: n/a Hébergeur:	Internal vs DMZ dns Hello, I'm looking for advice on best practice regarding internal vs DMZ DNS - please see below - Our Current setup: Internal DNS/DC servers currently forwarding all requests to an ISA DNS server within DMZ which then forward requests to our ISP DNS servers. We are moving away from the ISA (and therefore no dmz dns server) to a dedicate Hardware proxy (Bluecoat). The only other server sitting in our DMZ is a smtp relay and InterScan Web Security Suite server. My questions are: 1. Is it acceptable to forward all unresolved DNS request from our internal DNS/DC servers through to our ISP's DNS servers? Why/why not, what potential security issues could this raise. Or it would it be advisable to setup a new dmz dns server with no knowledge of internal zones and only for forwarding requests? 2. Is it acceptable to set client dns to our public dns servers (of course set appopriate TCP and UDP rules 53 on our firewall). Let me know your thoughts