Best practice for external DNS and recursive queries.

Discussion in 'DNS Server' started by Billnitro45, Sep 15, 2005.

  1. Billnitro45

    Billnitro45 Guest

    Hello,

    Just wondering what the best practice is for configuring my external DNS
    servers. They currently do not return name resolution for anything other
    than the zones that are hosted. However, I need to add a web server that
    will be facing publicly and want it to use the external dns servers for
    resolution. A program running on the web server will need to be able to
    resolve dynamic names which will require the external dns servers to return
    queries other than the locally hosted zones.

    Are there any recommendations? I don't think it's a good practice to allow
    your external dns servers to perform queries but if they have to they should
    only be iterative correct? Also, besides opening a hole in the firewall is
    there any other problems with allowing a web server in the dmz access to the
    internal dns servers since the internal dns servers already answer recursive
    queries and access root hints, etc...

    Thanks!

    Jeff
     
    Billnitro45, Sep 15, 2005
    #1
    1. Advertisements

  2. Billnitro45

    Ed Horley Guest

    Jeff,
    I would recommend leaving your external DNS servers alone and only have them
    resolve for their hosted zones. Your log files will be much easier to audit
    if something does happen. Plus the server are intended for a single purpose
    now, I see no reason to change that.
    I would either point your webservers at your upstream service providers DNS
    servers or if you want to be able to check and control the queries more
    directly point them to your internal DNS servers. Only thing you have to be
    cautious about when using internal DNS servers is if your pages are
    returning content that might return results of the internal DNS itself.
    Only potential problem with opening up a DMZ web server to access DNS on the
    inside is if the web server is compromised and there is an exploit that
    works over DNS (tcp/udp port 53) otherwise just log stuff on the firewall
    and you should be fine.

    Regards,
    Ed Horley
    Microsoft MVP Server-Networking
     
    Ed Horley, Sep 15, 2005
    #2
    1. Advertisements

  3. Billnitro45

    Todd J Heron Guest

    Hmm...this is strangely worded but I think you get the idea that external
    DNS server maintains your "public presence" zone while internal DNS servers
    maintain your internal AD. Before answering your question, what is the
    design of your internal and external namespace? Same name, delegated
    subdomain, or different altogether?

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT; CCA
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights

    Hello,

    Just wondering what the best practice is for configuring my external DNS
    servers. They currently do not return name resolution for anything other
    than the zones that are hosted. However, I need to add a web server that
    will be facing publicly and want it to use the external dns servers for
    resolution. A program running on the web server will need to be able to
    resolve dynamic names which will require the external dns servers to return
    queries other than the locally hosted zones.

    Are there any recommendations? I don't think it's a good practice to allow
    your external dns servers to perform queries but if they have to they should
    only be iterative correct? Also, besides opening a hole in the firewall is
    there any other problems with allowing a web server in the dmz access to the
    internal dns servers since the internal dns servers already answer recursive
    queries and access root hints, etc...

    Thanks!

    Jeff
     
    Todd J Heron, Sep 15, 2005
    #3
  4. Billnitro45

    Billnitro45 Guest

    Thanks for the Recommendations! I'm going to use our providers DNS servers
    as I don't want to expose our AD dns servers.
     
    Billnitro45, Sep 16, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.