Internal vs DMZ dns

21/07/2006, 16h57

Hello, I'm looking for advice on best practice regarding internal vs
DMZ DNS - please see below -

Our Current setup:

Internal DNS/DC servers currently forwarding all requests to an ISA DNS

server within DMZ which then forward requests to our ISP DNS servers.

We are moving away from the ISA (and therefore no dmz dns server) to a
dedicate Hardware proxy (Bluecoat). The only other server sitting in
our DMZ is a smtp relay and InterScan Web Security Suite server. My
questions are:

1. Is it acceptable to forward all unresolved DNS request from our
internal DNS/DC servers through to our ISP's DNS servers? Why/why not,
what potential security issues could this raise. Or it would it be
advisable to setup a new dmz dns server with no knowledge of internal
zones and only for forwarding requests?

2. Is it acceptable to set client dns to our public dns servers (of
course set appopriate TCP and UDP rules 53 on our firewall).

Let me know your thoughts

23/07/2006, 05h17

exchange wrote:

> We are moving away from the ISA (and therefore no dmz dns server) to a
> dedicate Hardware proxy (Bluecoat). The only other server sitting in
> our DMZ is a smtp relay and InterScan Web Security Suite server. My
> questions are:
>
>
> 1. Is it acceptable to forward all unresolved DNS request from our
> internal DNS/DC servers through to our ISP's DNS servers?

It is an accepted practice to forward to your ISP if you don't have your own
caching only DNS. I'm not sure about the Hardware proxy you are getting, but
most proxy servers have a caching only DNS server.

> 2. Is it acceptable to set client dns to our public dns servers (of
> course set appopriate TCP and UDP rules 53 on our firewall).

Since this is an Active Directory domain, the answer is to never use an
external DNS in TCP/IP properties of any member client or server. All
members of the AD domain must use only DNS servers that support the AD
domain.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

21/07/2006, 16h57	#1
exchange Messages: n/a Hébergeur:	Internal vs DMZ dns Hello, I'm looking for advice on best practice regarding internal vs DMZ DNS - please see below - Our Current setup: Internal DNS/DC servers currently forwarding all requests to an ISA DNS server within DMZ which then forward requests to our ISP DNS servers. We are moving away from the ISA (and therefore no dmz dns server) to a dedicate Hardware proxy (Bluecoat). The only other server sitting in our DMZ is a smtp relay and InterScan Web Security Suite server. My questions are: 1. Is it acceptable to forward all unresolved DNS request from our internal DNS/DC servers through to our ISP's DNS servers? Why/why not, what potential security issues could this raise. Or it would it be advisable to setup a new dmz dns server with no knowledge of internal zones and only for forwarding requests? 2. Is it acceptable to set client dns to our public dns servers (of course set appopriate TCP and UDP rules 53 on our firewall). Let me know your thoughts

23/07/2006, 05h17	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Internal vs DMZ dns exchange wrote: > We are moving away from the ISA (and therefore no dmz dns server) to a > dedicate Hardware proxy (Bluecoat). The only other server sitting in > our DMZ is a smtp relay and InterScan Web Security Suite server. My > questions are: > > > 1. Is it acceptable to forward all unresolved DNS request from our > internal DNS/DC servers through to our ISP's DNS servers? It is an accepted practice to forward to your ISP if you don't have your own caching only DNS. I'm not sure about the Hardware proxy you are getting, but most proxy servers have a caching only DNS server. > 2. Is it acceptable to set client dns to our public dns servers (of > course set appopriate TCP and UDP rules 53 on our firewall). Since this is an Active Directory domain, the answer is to never use an external DNS in TCP/IP properties of any member client or server. All members of the AD domain must use only DNS servers that support the AD domain. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ https://secure.lsaol.com/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email