Re: dns best security practices

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/25/05 

Date: Thu, 24 Mar 2005 23:11:57 -0700

Since AD has brought the need for DNS to companies, many have
considered hosting their own public DNS presence. Most of those
companies would likely be best off just keeping their public DNS
support hosted as it has been, by some ISP arrangement.

There are a number of issues when hosting one's own public
presence, including up-time and availability, but most importantly
security of one's internal infrastructure. If a company could have
significant savings by hosting their own public DNS presence,
then they should not use the same DNS services as are used for
their AD support that is on the DCs. Doing that would expose
the DNS records used for internal support to the public. While
this exposure is only to the extent that a prober could pry out
the info (if the DNS services are optimally configured), and the
exposure is only that, an exposure, nevertheless this would give
away knowledge of key aspects of the internal infrastructure.
Rather, when there is sufficient savings or flexibility to justify,
then DNS for public resolution should be used for only that
purpose, and configured to refuse recursive queries, to accept
only ports tcp and udp 53 from the public network, and placed
in a DMZ or screened network area that will not impose an
added risk to the internal network. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<emmiller@cortdirections.com> wrote in message
news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
> Where should a server that is a Domain Controller, that also host
> Active Directory and DNS, be placed on a firewall?
>
> What if that server is the external DNS server?
>
> Should a company have both an external and internal DNS server? If so,
> should both of them be Active Directory Domain Controllers?
>

Relevant Pages

  • Re: DNS servers
    ... mail hosting by default or as an extra cost service. ... In DNS, you need an A record for host "mail" pointing to the fixed ... IP you get from your ISP. ... another MX record with a priority of 20 pointing to the backup server using ...
    (microsoft.public.windows.server.sbs)
  • Re: Convert from POP to SMTP
    ... Ask whomever is hosting your DNS to ... Rerun CEICW and make sure you set it up to receive mail using SMTP. ... can test if your server is ready by telnet x.x.x.x 25 from the internet ...
    (microsoft.public.windows.server.sbs)
  • Re: Best online presence?
    ... to even pay $5 a month for ad-free hosting. ... They just charge me for the GB of available ... about DNS than I did, ... I prefer keeping my hosting company and registrar separate, ...
    (rec.music.makers.guitar.jazz)
  • Re: DNS settings fore hosting
    ... You really need to let us know a little more of your hosting ... the DNS services used for the AD if it is present ... Two cases, new zones and new records, and the other changes ... > 3)Dynamic uppdates yes ore no? ...
    (microsoft.public.windows.server.dns)
  • Re: Microsoft Windows 2000 Server DNS Question
    ... You can just point the existing www record in your win 2k DNS to the new ... If the hosting service provider changes the ... Click add to add a names server, ... With this option if the hosting service provider changes the ...
    (microsoft.public.windows.server.dns)