dns best security practices

Archived from groups: microsoft.public.win2000.security (More info?)

Where should a server that is a Domain Controller, that also host
Active Directory and DNS, be placed on a firewall?

What if that server is the external DNS server?

Should a company have both an external and internal DNS server? If so,
should both of them be Active Directory Domain Controllers?
2 answers Last reply
More about security practices
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Domain controllers for your network should always be behind your firewall.
    Normally a domain controller would never be in a DMZ unless it is a special
    situation where it is the domain controller for only DMZ computers. Normally
    you only need internal dns servers. Internal dns servers can resolve
    internet requests for domain clients if they are configured to use root
    hints or forward to your ISP dns server. The main reason you would want an
    external dns server is if you are going to host your own dns servers for
    your website available for internet users. In such case you would need to
    provide two external dns servers. Most however pay a small fee to an ISP to
    do this for them. NEVER expose your internal dns servers to internet users.
    If your internal users need to access your domain resources on the internet
    and you use the same domain name for internet and internal network then you
    can use "split brains" dns and add manual records to your internal dns
    server for your internal network users to resolve the names of your internet
    resources. A Windows dns server does not need to be a domain controller if
    you have a need to provide external dns outside of the firewall. --- Steve


    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
    dns FAQ.

    <emmiller@cortdirections.com> wrote in message
    news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
    > Where should a server that is a Domain Controller, that also host
    > Active Directory and DNS, be placed on a firewall?
    >
    > What if that server is the external DNS server?
    >
    > Should a company have both an external and internal DNS server? If so,
    > should both of them be Active Directory Domain Controllers?
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Since AD has brought the need for DNS to companies, many have
    considered hosting their own public DNS presence. Most of those
    companies would likely be best off just keeping their public DNS
    support hosted as it has been, by some ISP arrangement.

    There are a number of issues when hosting one's own public
    presence, including up-time and availability, but most importantly
    security of one's internal infrastructure. If a company could have
    significant savings by hosting their own public DNS presence,
    then they should not use the same DNS services as are used for
    their AD support that is on the DCs. Doing that would expose
    the DNS records used for internal support to the public. While
    this exposure is only to the extent that a prober could pry out
    the info (if the DNS services are optimally configured), and the
    exposure is only that, an exposure, nevertheless this would give
    away knowledge of key aspects of the internal infrastructure.
    Rather, when there is sufficient savings or flexibility to justify,
    then DNS for public resolution should be used for only that
    purpose, and configured to refuse recursive queries, to accept
    only ports tcp and udp 53 from the public network, and placed
    in a DMZ or screened network area that will not impose an
    added risk to the internal network.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    <emmiller@cortdirections.com> wrote in message
    news:1111683702.359142.301520@l41g2000cwc.googlegroups.com...
    > Where should a server that is a Domain Controller, that also host
    > Active Directory and DNS, be placed on a firewall?
    >
    > What if that server is the external DNS server?
    >
    > Should a company have both an external and internal DNS server? If so,
    > should both of them be Active Directory Domain Controllers?
    >
Ask a new question

Read More

Security Active Directory DNS Server DNS Servers Windows