10

I administer a small office (<50 people). We have always had internal DNS servers in the office. DNS servers are pretty straightforward, but we have run into trouble with them in the past. We have some office resources that are only available in the office, or externally over VPN, and we also have some office resources with a public address and record. Those resources currently have the same DNS name, though that's not necessarily a requirement, and there are far fewer of them than there used to be.

We also already own the internal office namespace, so it's conceivable that I could populate my public DNS with all the private IP addresses of the internal office resources we have and just stop using internal DNS altogether.

Is this a good idea? I've never worked in a place that doesn't have internal office DNS. What are some reasons why we should still keep it? It was once critical, now is still convenient, but the problems we've run into aren't making it feel convenient anymore.

Current Reasons to keep:

  • Split DNS lets us use the same hostname for those resources that are hosted internally but also available externally
  • We have a few test domains that we haven't needed to buy but would need to if we got rid of them
  • ??? it's familiar and comforting?

Reasons to get rid of it:

  • No IPv6 Support currently
  • Have had several problems with DNS being split, mostly with VPN config
  • Maintenance on a server that might be unnecessary
Aaron R.
  • 467
  • 1
  • 7
  • 21
  • i think you have to take in consideration other things as well, like the number of servers you have and the stability of the internet connection. if you rely on an external DNS server, what happens if you lost your internet connectivity for a long time ? (when no information are cached anymore) it means that noone of your servers will be able to communicate together, as well, and therefore all services will be down. it's a bonus to have a local DNS server at least for caching and perform local resolutions. – olivierg Nov 24 '17 at 21:25
  • 1
    The primary reason for having internal DNS servers, at least on a Windows network, is for supporting Active Directory and a Windows domain. If you’re running a domain you can’t get rid of your AD integrated DNS. Or, at least, you shouldn’t anyways. – Appleoddity Nov 25 '17 at 02:46
  • We do have an internal LDAP server, not AD. The DNS isn't integrated into that, though I wonder whether it has any interdependency. – Aaron R. Nov 27 '17 at 14:36
  • it should have some dns requirements, if there are multiple LDAP servers, AD uses `SRV` records for service discovery, so does Dir389. – Jacob Evans Nov 27 '17 at 15:57
  • Interesting, good to know. Although I'm not sure it would need to be internal in any case; seems to me we could use public DNS for that. – Aaron R. Nov 27 '17 at 17:24
  • Keep noted that an active directory environment required an internal DNS – BastianW Nov 28 '17 at 10:44

2 Answers2

5

Reading from your comments...

I would 100% keep DNS. I would also extend your LDAP implementation to AD. 50 people is definitely large enough; I would implement DNS for >10 users if they are at all non-technical and had multiple internal resources they needed to access.

Regarding the cons:

  • No IPv6 Support currently

Which platform do you use? There are multiple platforms with IPv6 support - namely OpenDNS

  • VPN config causing issues

No offense intended, but maybe you should work out why the VPN configs are breaking DNS and solve that? It's better than the work-around bandaid of "Nope, internal DNS is too complicated to work with the VPN!".

  • the maintenance

Automate, automate, automate - it shouldn't be too difficult as long as you take a smart approach to DNS entries and system management as a whole. DNS shouldn't have to be radically changed (at least not often).

kilrainebc
  • 93
  • 7
  • 1
    Only about a third of the office uses Windows, so I'm not really interested in adding more infrastructure to implement a domain controller. I'm using Bind right now, which certainly supports IPv6 but it hasn't been enabled and that would take time and effort on my part; that's the main thrust, really; Am I putting myself at any risk removing this resource and using only Public DNS, am I setting myself up for more work later because of some future office feature that does need DNS, etc. – Aaron R. Nov 27 '17 at 17:32
  • Sorry - assumed that everyone was on a windows device (Though AD works fine with Linux and I imagine there are some mature options for OS X as well). Those are design decisions you have to consider and act upon. If you think growth and future specs. might need more of a controlled domain with internal DNS for internal resources - then keep it around, or at a very minimum have it ready to boot if you think you *might* need it. Otherwise, you are the captain of your own boat - you know? This sort of thing is always a trade off between effort vs. anticipated reward(s). Good luck! :) – kilrainebc Nov 27 '17 at 18:20
5

Keep the internal DNS, if necessary make it redundant.

  • SplitBrain DNS is a mess, but usually you have (a lot) more internal records than external. Plus you can split your traffic: internal uses internal IPs, externally uses external ones.
  • AD relies 100% on DNS
  • You are not dependent on your ISPs DNS, because your DNS would be able to use recursion.
  • You don't want everybody to be able to look up your internal ressource
  • You don't want to provide you internal ressources to your (DNS-)ISP

You don't need you own DNS, when everybody is just using the internet and you don't have to manage your own servers. VPN sounds to me like internal services, jst kepp them internal.

  • No IPv6 Support currently

There are still DNS-Servers without v6 out there? Get up to date here.

  • Have had several problems with DNS being split, mostly with VPN config

Config problems will not go away with a service going away. You will still have to setup you vpn correctly, now including breakout rules for external DNS traffic.

  • Maintenance on a server that might be unnecessary

DNS is usually small and does not need an own box. Just set one up on one of your reliable servers (like file or mail).

bjoster
  • 4,423
  • 5
  • 22
  • 32
  • 1
    You bring out one of the real questions I had, perhaps one that would be better as a new question, but could you explain more what you mean when you say "You don't want everybody to be able to look up your internal resources." Adding private IP addresses in public DNS is uncommon, but is there something really wrong with it? Why would I care if hackers can look up my company's private IP addresses? They're still not routable. – Aaron R. Dec 01 '17 at 21:12
  • 3
    You don't want to give a hacker any clues about your internal network in the event your security is breached. Leaking your internal DNS gives clues about internal network structure, possible juicy targets ("Aha!" HRserver is at 192.168.99.72! Thanks! I can go straight for that"), etc. – Brandon Xavier Dec 03 '17 at 23:17
  • 1
    Is that really a concern though? I know there's a general sentiment in the professional community that it's better to protect every possible shred of information, but I'm not sure how critical it is. All of our non-public DNS could be queried and they'd get that data in 10 minutes. So maybe we're saving 10 minutes' worth of hacking time? That doesn't seem very valuable to me. – Aaron R. Dec 04 '17 at 16:15
  • Your non-public DNS should not be open to queries.... Hence "non-public"... – kilrainebc Dec 04 '17 at 16:33
  • 2
    Technically you *can* put your privates in public, but technically you could also wear no pants in public (or just at this workplace). Hence it *is possible*, nobody wants you ever to do that and so no professional IT guy would. – bjoster Dec 05 '17 at 14:31
  • @bjoster speak for yourself, I operate a strict "no pants thursday" policy at my workplace – Chris Browne Jul 22 '19 at 20:08