PaulDotCom mailing list archives
DNS access from DMZ
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Mon, 01 Dec 2008 13:32:54 -0500
Hi Albert, See below, short version: Point external servers to external DNS servers.
How do you guys suggest allowing DNS resolution from an internet facing DMZ to the internal DNS server, aka PDC?
I would not recommend this, one if someone compromises a DMZ system they can attack your internal DNS server (remote exploits, cache poisoning, etc...)
I doubt opening up 53 is suggested from all internet webservers in the DMZ
Yea, no :) Point your external web servers at your ISPs nameservers for resolution. If you don't trust your ISP, I've maintained my own servers for recursive lookups. These should be separate from the DNS servers that host your externally facing domain. In a pinch, you can even use OpenDNS.
I am used to a split DNS provided by the great FW that is Sidewinder, but cant do that.
I just simple don't trust any software solution for DNS separation. I guess I'm old school, but I've always maintained at least one DNS server to host my domain(s), and one server for recursive lookups.
So my next idea is just to create hosts file entries in each DMZ web server.
That could work, however if I compromise any system I will be able to see a list of all the other hosts.
what else is there?
See above :) Cheers, Paul -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081201/eeea4365/attachment.pgp
Current thread:
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Tim Krabec (Dec 01)
- DNS access from DMZ Albert R. Campa (Dec 01)
- DNS access from DMZ Arch Angel (Dec 01)
- DNS access from DMZ Mike Patterson (Dec 01)
- DNS access from DMZ Paul Asadoorian (Dec 01)