DNS best security practices

Archived from groups: microsoft.public.win2000.dns (More info?)

Where should a server that is a Domain Controller, that also host
Active Directory and DNS, be placed on a firewall?

What if that server is the external DNS server?

Should a company have both an external and internal DNS server? If so,
should both of them be Active Directory Domain Controllers?
1 answer Last reply
More about security practices
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    <emmiller@cortdirections.com> wrote in message
    news:1111683730.244678.246610@o13g2000cwo.googlegroups.com...
    > Where should a server that is a Domain Controller, that also host
    > Active Directory and DNS, be placed on a firewall?

    Not on firewall machine at all.

    Behind as many firewalls as practical.

    > What if that server is the external DNS server?

    It should not do both internal and external DNS.

    A DC should almost never be publicly accessible
    (there are some very few exceptions to this where.)

    > Should a company have both an external and internal DNS server?

    Yes. And for almost everyone the External DNS should
    be left at (or returned to) the REGISTRAR (not the ISP
    and not on the companies on DNS servers.)

    > If so,
    > should both of them be Active Directory Domain Controllers?

    And if you break this practice, the DC should be internal or
    hidden behind as many layers are practical.

    Is it possible to secure a DC on the Internet?

    Yes, it is a possible, but a simple experiment will show how
    difficult that will be: Go to a DC and from an open command
    prompt type:

    netstat -a

    Now, decide if you believe that you can secure all legitimate
    access to all of those open ports and services, and if you are
    willing to accept that none of those services are going to be
    compromised by bugs or security holes that hackers can use
    to attack your DC and thus your entire domain.

    Recognize that losing a web server is bad, but losing control
    of ALL of the resources and private information in your domain
    is usually much worse.

    (The very few exceptions to placing a DC on the Internet are
    by those people who accept the loss of the information as
    unimportant compared with the likelyhood of it happening.)
Ask a new question

Read More

Active Directory DNS Server DNS Servers Windows