dns best security practices

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Where should a server that is a Domain Controller, that also host
Active Directory and DNS, be placed on a firewall?

What if that server is the external DNS server?

Should a company have both an external and internal DNS server? If so,
should both of them be Active Directory Domain Controllers?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Domain controllers for your network should always be behind your firewall.
Normally a domain controller would never be in a DMZ unless it is a special
situation where it is the domain controller for only DMZ computers. Normally
you only need internal dns servers. Internal dns servers can resolve
internet requests for domain clients if they are configured to use root
hints or forward to your ISP dns server. The main reason you would want an
external dns server is if you are going to host your own dns servers for
your website available for internet users. In such case you would need to
provide two external dns servers. Most however pay a small fee to an ISP to
do this for them. NEVER expose your internal dns servers to internet users.
If your internal users need to access your domain resources on the internet
and you use the same domain name for internet and internal network then you
can use "split brains" dns and add manual records to your internal dns
server for your internal network users to resolve the names of your internet
resources. A Windows dns server does not need to be a domain controller if
you have a need to provide external dns outside of the firewall. --- Steve


http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
dns FAQ.

<emmiller@cortdirections.com> wrote in message
news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
> Where should a server that is a Domain Controller, that also host
> Active Directory and DNS, be placed on a firewall?
>
> What if that server is the external DNS server?
>
> Should a company have both an external and internal DNS server? If so,
> should both of them be Active Directory Domain Controllers?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Since AD has brought the need for DNS to companies, many have
considered hosting their own public DNS presence. Most of those
companies would likely be best off just keeping their public DNS
support hosted as it has been, by some ISP arrangement.

There are a number of issues when hosting one's own public
presence, including up-time and availability, but most importantly
security of one's internal infrastructure. If a company could have
significant savings by hosting their own public DNS presence,
then they should not use the same DNS services as are used for
their AD support that is on the DCs. Doing that would expose
the DNS records used for internal support to the public. While
this exposure is only to the extent that a prober could pry out
the info (if the DNS services are optimally configured), and the
exposure is only that, an exposure, nevertheless this would give
away knowledge of key aspects of the internal infrastructure.
Rather, when there is sufficient savings or flexibility to justify,
then DNS for public resolution should be used for only that
purpose, and configured to refuse recursive queries, to accept
only ports tcp and udp 53 from the public network, and placed
in a DMZ or screened network area that will not impose an
added risk to the internal network.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<emmiller@cortdirections.com> wrote in message
news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
> Where should a server that is a Domain Controller, that also host
> Active Directory and DNS, be placed on a firewall?
>
> What if that server is the external DNS server?
>
> Should a company have both an external and internal DNS server? If so,
> should both of them be Active Directory Domain Controllers?
>