DNS access from DMZ

[paul at pauldotcom.com (Paul Asadoorian)]

Hi Albert,

See below, short version: Point external servers to external DNS servers.

> How do you guys suggest allowing DNS resolution from an internet facing
> DMZ to the internal DNS server, aka PDC?

I would not recommend this, one if someone compromises a DMZ system they
can attack your internal DNS server (remote exploits, cache poisoning,
etc...)

> I doubt opening up 53 is suggested from all internet webservers in the DMZ

Yea, no :)  Point your external web servers at your ISPs nameservers for
resolution.  If you don't trust your ISP, I've maintained my own servers
for recursive lookups.  These should be separate from the DNS servers
that host your externally facing domain.  In a pinch, you can even use
OpenDNS.

> I am used to a split DNS provided by the great FW that is Sidewinder,
> but cant do that.

I just simple don't trust any software solution for DNS separation.  I
guess I'm old school, but I've always maintained at least one DNS server
to host my domain(s), and one server for recursive lookups.

> So my next idea is just to create hosts file entries in each DMZ web server.

That could work, however if I compromise any system I will be able to
see a list of all the other hosts.

> what else is there?

See above :)

Cheers,
Paul

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081201/eeea4365/attachment.pgp