General discussion

Locked

DNS on firewalls: Bad idea?

By Bill Kz ·
I have recently joined a new company that is preparing for a migration to Win2K/Active Directory, and is re-examing our DNS setup.

Currently, our primary DNS server is our firewall; it not only provides for internal resolution, but also replicates changes to our ISP for public hosts. It *is* setup so that only publicly accessible hosts replicate to our ISP, but the whole setup still makes me nervous. We rarely make changes to public DNS (once a day TOPS); we could very easily call the ISP and make changes that way.

I've always been of the opinion that firewalls are for one task only: Securing the network. They shouldn't be running applications (ours also acts as an SMTP relay).

My questions are: Am I nuts? If not, can someone point me to an authoritative source in print/on the web that backs me up?

Thanks much in advance,
Bill

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

DNS on firewalls: Bad idea?

by Sojournist In reply to DNS on firewalls: Bad ide ...

You are nervous with reason. DNS names for objects are also the Active Directory names. The domain controllers are also registering their SRV records there. You don't want your active directory structure to be enumerated with DNS queries or zone transfers. It is tricky to keep public and private records when you have two DNS servers, one in the DMZ to service public queries and one within the inner firewall for internal namespace.

Stick with your instinct on this and move the DNS Server inside the firewall. If your ISP is hosting your public DNS records, let them. It doesn't sound like the risks you open to the network are worth the benefits of update a record or two a day.

Also know that by default, a 2k DNS Server will allow zone transfer to anyone who requests.

You didn't tell us which OS is running DNS, but if it is Windows NT, that server will need to be upgraded before the PDC upgrade. Windows NT DNS Servers cannot register SRV records which are required for Active Directory to function.

Collapse -

DNS on firewalls: Bad idea?

by Bill Kz In reply to DNS on firewalls: Bad ide ...

Poster rated this answer

Collapse -

DNS on firewalls: Bad idea?

by dlafrombois In reply to DNS on firewalls: Bad ide ...

My only concern is that since the DNS server is for external updates (of the firewall) then you potentially have a security issue. I went out to insecure.com and attempted to find DNS vulnerabilities. I gave up quickly since they did not have a good search engine. If someone could use the DNS port for attack then your firewall will be compromised. A better approach is to place a DNS server on the outside and one on the inside of the firewall. The inside DNS serve updates from the outside or from the ISP. The outside is updated only for you external servers. Thus letting the firewall be a firewall.

Collapse -

DNS on firewalls: Bad idea?

by Bill Kz In reply to DNS on firewalls: Bad ide ...

Poster rated this answer

Collapse -

DNS on firewalls: Bad idea?

by Bill Kz In reply to DNS on firewalls: Bad ide ...

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums