DMZ DNS configuration best practice

By mwoods269 ·
Hello all,

I just inherited a network where they are using public IPs for everything in the DMZ. The firewall is configured in "drop in" mode and all DMZ servers have public IP's.

My question is in regards to configuring DMZ DNS servers. Our exchange server is in the DMZ and authenicates to internal DC's. This servers primary dns points to internal dns server and it's secondary points to a dmz dns server. Can you tell me what the configuraton would look like for this setup.

The DMZ dns servers are configured with our internal dns zone records for our 2 interal DC's. Isn't it a bad thing to host internal dns records on public facing servers?

Please help!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Are you sure?

by CG IT In reply to DMZ DNS configuration bes ...

check with your domain name registar on who [what servers] are the authoritative Name Servers for your domain name [there should be two]. If your DMZ DNS servers are the authoritative name servers for your domain name, then they should be in the DMZ. They will also provide the Alias translation between public and private names.

Next ask yourself if your Exchange Server is in the DMZ, is it configured as a Bridgehead or a Front End Exchange?

Last question you should ask yourself is, are non DMZ DNS servers domain name public or private.

Armed with answers to those questions, how the network is configured might make sense.

Collapse -

Summary of network

by mwoods269 In reply to DMZ DNS configuration bes ...

OK here is what I am dealing with:

Fatpipe ISP load balancer hosting external DNS records for our domain
2 - DMZ DNS servers
- no forwarders configured
- zone transfers all from any server for the internal .local zone
- hosts forward lookup zones for DMZ as well as our internal resources
- both point to themselves for DNS and to the Fatpipe for secondary dns

2 - internal dns servers
- forwarders set to ISP dns servers
- both point to themselves for dns and to each other for secondary dns
- both contain zones for internal and dmz resources
- both have A records for DMZ hosts
- zone transfers to servers listed in name servers tab (2 internal and 1 dmz

I hope this helps get us started.

The Exchange server is standalone and serving email for our users.

Collapse -


by CG IT In reply to Summary of network

Quick and Dirty:

typically DNS servers in a DMZ [meaning behind the perimeter firewall and in front of the local network firewall, typically are for authoritative name servers for a FQDN. These authoritative name servers provide public address to FQDN resolution for Internet WhoIs queries. These DNS servers can also provide alias support for the local network in translating a public name to a private name eg .com to a .local

DNS servers behind the local network firewall provide local network name to address resolution for local network queries. Typically in an Active Directory or Directory Services environment.

When the local DNS server can not answer queries they forward that query to other name servers for resolution. Example, a web site using your FQDN <domain>.com can't be answered by your internal DNS servers because they can only resolve a private name <domain>.local to an address. So it forward those to the Internet root-hint servers. These servers put out a WhoIs query eg. WhoIs <domain>.com if your DMZ DNS servers are the authoritative DNS servers for your domain name, they answer the query <domain>.com = your public IP address. Therefore the answer to the query is your public IP address. Traffic is then sent to that address over the specific protocol port. example you host your web site <domain>.com on a web server in your DMZ. Traffic would be sent to your public IP address over port 80. you forward that port traffic [port 80] through your perimeter router to your web server which will then provide the web page.

So this is why in my original post I asked, are you sure? DNS servers in a DMZ play a role if those DNS servers are the authoritative DNS for your public domain name. They provide name to public address resolution for your FQDN. Without that, no one would know that FQDN is your public IP address and then send traffic to you such as email.

Collapse -

Well Explained v/ v/

by robo_dev In reply to DNS on DMZ

And, call me crazy, but there are significant security risks to exactly how your expose DNS and AD to your DMZ.

Since LDAP, by default, is not encrypted, you really need to look at technology such as ADFS (Active Directory Federated Services) to effectively 'proxify' and sign/encrypt AD LDAP traffic to/from DMZ.

Of course the best answer is to 'say no' and not allow AD to cross the firewall in the first place....

Collapse -

Yep!! big hole...

by CG IT In reply to Well Explained v/ v/

AD DNS really doesn't have to cross into the DMZ. AD only need DNS for the local LAN. Doesn't care about anything else.

Related Discussions

Related Forums