DMZ and DNS

[Minus Human]

Hello Again.

This might sound like a simple question but what would be the benefits to placing my Primary DNS (Internet) in a DMZ zone as opposed to leaving it behind the current firewall or unprotected.

I was asked this today “why do you want to secure DNS – It’s just DNS what can they do to it”

Thanks your advice will be greatly appreciated

[catwalker63]

I don't know of any reason for putting DNS in a DMZ but I would make sure there are no other services running on your DNS servers if they are published on the Internet. For the same reason, you should not store files on these servers either. If you have your domain registered on the Internet, you have no choice but to publish the IP addresses of at least two DNS servers for your domain and this gives the bad guys a place to start when attacking your network. If there are no other services to exploit and there is data to steal on your DNS servers, attackers have to work harder to find hosts on your network that will give them what they want.

Putting your Web and FTP servers in a DMZ, however, is an excellent idea, since outside users are actually accessing content on these servers.

[Br4tt3]

Hello Again.

This might sound like a simple question but what would be the benefits to placing my Primary DNS (Internet) in a DMZ zone as opposed to leaving it behind the current firewall or unprotected. 

I was asked this today “why do you want to secure DNS – It’s just DNS what can they do to it”

Thanks your advice will be greatly appreciated

You should never place your production DNS server for your AD in the DMZ. Either it should be seperated through a forrest design or a whole seperate DNS structure to your own internal DNS structure.

Cause... it will be a field trip for a hacker if he can read resources from your internal DNS strcuture in the DMZ.. my advice, let them work for their glory

[turbomcp]

ofcourse public dns should be placed in dmz and this is why

users use public dns for queries and for zone trasfer updates to other dns all over the world.

Lan- not good since you expose unneeded services/traffic to your lan segment from the internet.

Public- not good either cause the server is left unprotected ,in theory all services are open for hijacking this server even if only some are left working.

dmz -good,only required services are left open AND you get the benefit of a good firewall in sense of logging, application layer filtering and protection.