Archived from groups: microsoft.public.win2000.security (
More info?)
Since AD has brought the need for DNS to companies, many have
considered hosting their own public DNS presence. Most of those
companies would likely be best off just keeping their public DNS
support hosted as it has been, by some ISP arrangement.
There are a number of issues when hosting one's own public
presence, including up-time and availability, but most importantly
security of one's internal infrastructure. If a company could have
significant savings by hosting their own public DNS presence,
then they should not use the same DNS services as are used for
their AD support that is on the DCs. Doing that would expose
the DNS records used for internal support to the public. While
this exposure is only to the extent that a prober could pry out
the info (if the DNS services are optimally configured), and the
exposure is only that, an exposure, nevertheless this would give
away knowledge of key aspects of the internal infrastructure.
Rather, when there is sufficient savings or flexibility to justify,
then DNS for public resolution should be used for only that
purpose, and configured to refuse recursive queries, to accept
only ports tcp and udp 53 from the public network, and placed
in a DMZ or screened network area that will not impose an
added risk to the internal network.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<emmiller@cortdirections.com> wrote in message
news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
> Where should a server that is a Domain Controller, that also host
> Active Directory and DNS, be placed on a firewall?
>
> What if that server is the external DNS server?
>
> Should a company have both an external and internal DNS server? If so,
> should both of them be Active Directory Domain Controllers?
>