DNS in DMZ

2013-12-05

Question

_{Thursday, December 5, 2013 3:42 PM}

Hi Everyone,

I've been tasked with turning our DMZ into a new forest/domain. Currently our DMZ servers (web servers) are all statically assigned and are pointing to our internal servers for DNS. All DMZ servers have private IP addresses as well. My question to everyone is, what is best practice for setting up a DNS server within a DMZ? Should I setup DNS in the DMZ and set forwarders to the internal DNS for resolution since they currently point to the internal DNS servers? Should I continue letting it use the internal DNS for resolution and make no changes? Or should I use some other method for DNS in the DMZ? I greatly appreciate the help.

Thanks,
DNS

All replies (13)

_{Monday, December 9, 2013 5:03 PM ✅Answered}

Thanks for the response Susie. The DMZ servers currently have the internal DNS servers statically assigned to them. I'm going to be setting up a new forest/domain for the DMZ servers and I plan to put a seperate DNS server in new domain. what would be the best DNS solution if the new domain (dmz) servers need to talk back to the internal network? How should DNS bet setup?

Thanks,
John

The only practice for any AD environment, is that all members, and even non-members that need to resolve internal resources, is that they must only use the internal DNS servers. This is based on technical reasons with how the DNS client side resolver works, and this is based on multiple RFCs that apply not just to Microsoft products, but all products that use DNS servers to resolve resource records. MOre here:

Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, December 9, 2013 8:08 PM ✅Answered}

Sorry, i thought I made it clear that you need to only use the internal DNS servers, nothing else.

I assume you have ports allowing access from these machines to access internal resources and authenticate to AD? If yes, then the ports should be open.

If you're going to create a new forest in the DMZ, then those machines will only use their own DNS. And of course that's assuming the forest has nothing to do with the internal AD. But from what you're saying, they'll probably be accessing internal forest resources?

If yes, then forwarder will work. And this also assumes a trust? Will your firewall folks be ok with opening lots of ports to make this work?

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, December 9, 2013 9:24 PM ✅Answered}

If that's the case, that's similar to, or *assuming* (I hate to use that word) that whether you will be creating a trust (since that's the best solution) or not creating a trust.

Here are your options:

What should I use, a Stub, Conditional Forwarder, Forwarder, or Secondary Zone??
http://blogs.msmvps.com/acefekay/2012/09/18/what-should-i-use-a-stub-conditional-forwader-forwarder-or-secondary-zone/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, December 11, 2013 5:43 AM ✅Answered}

BuffaloIT,

I believe SH.Hashemi is referring to a third party LDAP solution that will authenticate with AD. That can work to give you SSO (Single Sign On) for your DMZ resources providing centralized authentication.

Just to point out as an FYI, AD DMZ designs has been discussed in the past in the Directory Services (AD) forum.

Since this thread has evolved into a question about authenticating using SSO, you also have an option to use your existing AD infrastructure and make use of RODCs in the DMZ. With RODCs, besides using restricted ports with AD, they provide the ability to restrict specific user accounts and machine accounts that can authenticate to them. You create PRP (password replication policies) on the RWDC with the users and computer accounts in the DMZ. DNS on an RODC act as secondary zones. The first few links below go into RODCs as an option. I think this is your better bet.

The other links are previous discussions to help in your decision process in trying to streamline and get a handle on your DMZ administration. There are other threads discussing this in the DS forums, but this should give you a good start.

Active Directory Domain Services in the Perimeter Network (Windows Server 2008)
http://technet.microsoft.com/en-us/library/dd728034(v=WS.10).aspx

Designing RODCs in the Perimeter Network
http://technet.microsoft.com/en-us/library/dd728028(v=WS.10).aspx

Read-Only Domain Controller Planning and Deployment Guide
http://technet.microsoft.com/en-us/library/cc771744(v=WS.10).aspx

AD Design for DMZ
http://social.technet.microsoft.com/Forums/windowsserver/en-US/afa8ab2d-c44a-4da3-a868-a68911a043c2/ad-design-for-dmz?forum=winserverDS

Active Directory and DMZ design query
http://us.generation-nt.com/answer/active-directory-dmz-design-query-help-97463252.html

Read Only Domain Controller (RODC) in DMZ
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8148ddd1-f5a6-472c-af38-59f203ee532d/read-only-domain-controller-rodc-in-dmz?forum=winserverDS

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, December 9, 2013 2:11 AM | 1 vote}

Hi,

In general, it is not recommended to configure the DMZ with forwarders. Usually, internal DNS servers are placed on the internal network, and externally accessible servers are placed in the DMZ, which is secure but also accessible from the public network. If you have only one set of DNS servers for both internal and external DNS, you should place them in the DMZ and have internal users access them from the internal network rather than place them in the internal network and configure in your firewall for external DNS requests.

In addition, please refer to the useful thread below:

DMZ DNS Question

http://social.technet.microsoft.com/Forums/en-US/79726af5-97fa-4ffb-8d0c-889a07c08b5c/dmz-dns-question?forum=winserverNIS

Best regards,

Susie

_{Monday, December 9, 2013 3:46 PM}

Thanks for the response Susie. The DMZ servers currently have the internal DNS servers statically assigned to them. I'm going to be setting up a new forest/domain for the DMZ servers and I plan to put a seperate DNS server in new domain. what would be the best DNS solution if the new domain (dmz) servers need to talk back to the internal network? How should DNS bet setup?

Thanks,
John

_{Monday, December 9, 2013 4:22 PM}

hey

The most Popular Method for managing effectively your dns tasks is implementing split DNS

it is a common practice for organizations is to run servers for internal use separately from those for external use. But in many instances, both internal and external clients use both servers. And if the organization uses network address translation (NAT), the servers must be accessible from two different IP addresses.

so split DNS infrastructure is a solution to the problem of using the same domain name for internally and externally accessible resources. It’s the difference in how internal and external clients access resources that cause the problem.

a very well described Document regarding having such architecture can be found in :

http://www.isaserver.org/articles-tutorials/installation-planning/You_Need_to_Create_a_Split_DNS.html

G luck

_{Monday, December 9, 2013 7:43 PM}

Ok, so when the new domain (previosly the dmz) needs to resolve a server on the internal network we should set forwards up on the new domain (DMZ) dns to forward to the internal when the new domain (dmz) cannot resolve them? I guess I'm confused on how the external network should talk to the internal network when a dns querry is needed for internal resources.

_{Monday, December 9, 2013 9:10 PM}

Right now the dmz is setup in a workgroup with the dns addresses of the internal network on their NICs for resolution. If I turn the dmz into a new AD forest, what would be the best way for the new forest to resolve internal addressses? Keep DNS the way it is (dns stays internal), host a new dns server in the new forest with forwarders pointing to the internal network or some other prefered method?

_{Monday, December 9, 2013 9:34 PM}

We werent going to setup a trust since this new forest/domain will still be considered our DMZ. We were hoping to keep them seperated as much as possible.

_{Tuesday, December 10, 2013 6:10 AM}

hey

As you're aware, the primary advantage of a DMZ is that it provides a neutral ground, typically for services that must be accessed by both internal and external users. The compromise of a system within the DMZ will not jeopardize the security of systems located within the secure internal network.

DCs, by their nature, are some of the most highly valued assets within the organization. These are the servers that control access to the resources on a Windows network, including the Active Directory database. If an attacker is able to compromise a domain controller, he or she essentially owns the entire Windows infrastructure. Therefore, given the immense importance of keeping it protected, I don't recommend placing a domain controller within a DMZ.

The most common solution that I've seen out there is to build the DMZ servers as standalone servers. If Active Directory authentication is required to allow internal users privileged access to those servers, use LDAP authentication back to the domain controller on the internal network. If you do need a domain controller inside the DMZ to facilitate specific services, I'd recommend creating a separate Active Directory forest within the DMZ and then using a one-way trust mechanism that permits systems in the DMZ to trust user accounts within the internal forest but yet it asks for DNS servers replication and proper new ACLs.

But keep in mind as you probably are going to member all servers residing in your dmz in the new domain , if a single server some how is compromised the rest would become compromised too,so that is why i suggest to keep your infrastructure as is with a new DNS design ( Split or another solution)

but since I am really interested in your case , I ask you to tell us what is the cause of your new design so we can make it up with a proper design

G luck

_{Tuesday, December 10, 2013 1:52 PM}

Thank you for the response. The reason behind us wanting to setup the DMZ in a new
forest/domain is strictly due to user accounts. Currently in our DMZ we have
dozens of local user accounts with admin privileges spread across several
servers, so we are having a difficult time managing these accounts, especially
when an employee is no longer with us. The last thing we want are many local
accounts with admin rights that are active, but the employee or contractor is
no longer with us. If the LDAP solution is the best solution for this model
could you elaborate more about it and/or how to configure it for this type of
DMZ? Thank you so much for the time you are spending on this topic. It is
greatly appreciated!<o:p></o:p>

Thanks
again,<o:p></o:p>

John<o:p></o:p>

_{Wednesday, December 11, 2013 5:51 AM}

hey

Ace Fekay's Answer covers your need , RODC is a great working solution with lots of guides & best practices available on the technet,but to complete my mind puzzle about ur design,what r the services you are offering in your dmz ? counting the name would be sufficient

G Luck

______________________________________________________________________

SeyedHoodad HashemiNoudehi

MCSA 2008, MCITP: Enterprise Administrator,MCITP: Server Administrator,MCSE:2003 Security,MCSA:2003 Security , MCTS , MCP , Comptia Security+ ce , ITIL V3.0 , BEng CEn

Share via

DNS in DMZ

Question

All replies (13)

Additional resources