Minus Human Posted July 19, 2004 Share Posted July 19, 2004 Hello Again.This might sound like a simple question but what would be the benefits to placing my Primary DNS (Internet) in a DMZ zone as opposed to leaving it behind the current firewall or unprotected. I was asked this today “why do you want to secure DNS – It’s just DNS what can they do to it” Thanks your advice will be greatly appreciated Link to comment Share on other sites More sharing options...
catwalker63 Posted July 20, 2004 Share Posted July 20, 2004 I don't know of any reason for putting DNS in a DMZ but I would make sure there are no other services running on your DNS servers if they are published on the Internet. For the same reason, you should not store files on these servers either. If you have your domain registered on the Internet, you have no choice but to publish the IP addresses of at least two DNS servers for your domain and this gives the bad guys a place to start when attacking your network. If there are no other services to exploit and there is data to steal on your DNS servers, attackers have to work harder to find hosts on your network that will give them what they want.Putting your Web and FTP servers in a DMZ, however, is an excellent idea, since outside users are actually accessing content on these servers. Link to comment Share on other sites More sharing options...
Br4tt3 Posted August 23, 2004 Share Posted August 23, 2004 Hello Again.This might sound like a simple question but what would be the benefits to placing my Primary DNS (Internet) in a DMZ zone as opposed to leaving it behind the current firewall or unprotected. I was asked this today “why do you want to secure DNS – It’s just DNS what can they do to it” Thanks your advice will be greatly appreciatedYou should never place your production DNS server for your AD in the DMZ. Either it should be seperated through a forrest design or a whole seperate DNS structure to your own internal DNS structure.Cause... it will be a field trip for a hacker if he can read resources from your internal DNS strcuture in the DMZ.. my advice, let them work for their glory Link to comment Share on other sites More sharing options...
turbomcp Posted August 23, 2004 Share Posted August 23, 2004 ofcourse public dns should be placed in dmz and this is whyusers use public dns for queries and for zone trasfer updates to other dns all over the world.Lan- not good since you expose unneeded services/traffic to your lan segment from the internet.Public- not good either cause the server is left unprotected ,in theory all services are open for hijacking this server even if only some are left working.dmz -good,only required services are left open AND you get the benefit of a good firewall in sense of logging, application layer filtering and protection. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now