3

I currently work in a company that has two DNS servers (ns1 and ns2) open to the Internet on the DMZ, and it's hosting two zones: company.org and company.net. In both zones there are servers in the DMZ and in the internal LAN, and recursion is enabled on the DNS server.

I was thinking of doing this: reconfigure all servers on the DMZ to have a FQDN of server.company.org and on the internal LAN server.company.net. And then, have a DNS server on the DMZ with just the company.org zone and another DNS server on the internal LAN hosting only the the company.net zone.

Is this wise, or there's a better solution? If using this, which DNS server recursion must be enabled and disabled? And what about forwarding?

Thanks very much.

raphaelmsx
  • 31
  • 1
  • 2
  • The phrase you're looking for is "split DNS". You can do this with `bind9` natively. Other DND servers may require you to run separate instances - one pointing inward and the other pointing outward (to your DMZ). – roaima Jun 21 '15 at 14:20
  • 3
    I don't see how this is "split DNS". The OP is talking about two separate namespaces. He's just asking where it might be best to host each namespace. – joeqwerty Jun 21 '15 at 14:59
  • The OP is looking at two zones, one for the intranet and another for the Intranet. This is classing split DNS. Whether they server the same or different namespaces is irrelevant to split DNS. – BillThor Jun 22 '15 at 02:04

1 Answers1

1

You've not clearly stated your goals, so providing a specific recommendation is difficult.

However, for ease of management and security, using one domain for public facing services and another for internal services is beneficial while not technically required.

For example, you could place all public facing services on one domain. Then use a DNS service provider or your registrar to manage DNS records for this domain. Doing so will allow you to stop running a DNS server in your DMZ.

Internally, you may want to check what, if any, DNS services your network gear provides. Some network devices may allow you to manage DNS directly in your device.

If not, then consider a small VPS system dedicated to internal DNS. You can publish your own records for internal assets and then configure the system to handle recursion and DNS caching. This way IPs and domains for internal assets are not publicly discoverable.

On your internal server, you can use a forward, caching DNS setup that uses services like OpenDNS or Google's DNS for the recursion. These public DNS services include some security features that doing your own DNS recursion does not. This is often an easy and inexpensive way to add additional security to a small office or branch network.

jeffatrackaid
  • 4,112
  • 18
  • 22
  • So, if I understood correctly, I can have one DNS server on the DMZ with public facing servers and recursion disabled and one DNS server on the internal LAN for internal services and configured with my ISP DNS IPs as forwarders for recursion. (I said one for simple explanation, or course two or more). But, if a client from internal LAN asks for a service in the DMZ (and it's not on any cache), is there a way the internal DNS server forward to the DMZ DNS server, and not the ISP DNS IPs as default? Thanks. – raphaelmsx Jun 23 '15 at 17:26
  • I recommended not having a nameserver in the DMZ at all. Since it is only one domain, let your registrar serve as the nameserver for that domain. That simplifies things tremendously. If you must operate a nameserver for that one domain, put it into the DMZ and set it as a non-recursive server. For your internal, you can have it forward requests to your ISPs DNS or to Google's. I recommend a forwarding system since all DNS requests will be sent to the forwarding servers vs. looking up directly. This permits for tighter firewall restriction. – jeffatrackaid Jun 23 '15 at 18:03
  • Yes, I really have to operate a nameserver for DMZ. Just one more quesiton: as the internal DNS is going to forward to ISPs DNS, how it will be the name resolution from internal clients to DMZ services, is it going to first forward to ISPs DNS just to discover it's already inside the company? I know that eventually it will be in the cache, but I'm taking into consideration the first time a request is made, and I thought I could have some configuration in the internal DNS server to know that if it's a namespace on our DMZ, then forward straight to the DMZ DNS server, if not, forward to ISP DNS. – raphaelmsx Jun 24 '15 at 17:39