DNS access from DMZ

[abcampa at gmail.com (Albert R. Campa)]

Thanks all for the input.

Let me modify the scenario as greater understanding has just been aquired ;)

This DMZ(internet facing) is not really on the public internet. It is behind
the enterprise firewalls and even some WAF protection. The servers are
Internet accessible as the ports are open on the enterprise firewalls.

These DMZ webservers are seperate from a core Internal trusted network. This
core network contains a DNS server, and other datacenter assets. and is
sperated by a firewall.

So since the 'DMZ' web servers are semi-internal but seperated, should they
be allowed to resolve 'internal' servers that they need to communicate with
by means of DNS forwarders? Could a hacker penetrate the firewall(port 80)?
yes. Could he/she proceed to bypass the WAF, IDPS and compromise a web
server? Only to find him/herself still isolated in a firewalled network, but
have port 53 access to query only, the internal main DNS/PDC Server?


__________________________________
Albert R. Campa


2008/12/1 Tim Krabec <tkrabec at gmail.com>

> If you are truly paranoid know that your if your ISP is especially evil
> they can just handle all the DNS themselves by intercepting DNS traffic
> after your router.  You might want to consider tunneling to a "known" safe
> location.
>
> --
> Tim Krabec
> Kracomp
> 772-597-2349
> smbminute.com
> kracomp.blogspot.com
> www.kracomp.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081201/ed16a655/attachment.htm