locked
DNS Forwarders Setup RRS feed

  • Question

  • I'm just reviewing DNS as it was configure by someone else.  We have 4 DCs all with AD integrated DNS.  One of the DCs is configured with Forwarders to our external ISPs two DNS servers, a rule is also in place in our firewall to allow all DCs on to the internet everywhere via port 53 for DNS (not happy with this rule want to lock it down more).  The other 3 DCs are configured with 1 Forwarder pointing to the first DC which points to the external DNS servers.  I can see that this is a single point of failure on the part of just one DC is getting external DNS, if that DC goes down external DNS won't work.  Also I'm not that happy about DCs connecting directly to the internet.  Can someone recommend if this is a poor setup and what they would do differently.

    Thanks

    Thursday, April 2, 2015 8:38 AM

Answers

  • Hi,

    you can install 2 more may be Unix related DNS Server to prevent the "direct" connect. But if you have a normal company you have already 2 external DNS Server. The DNS Server of your ISP. With a proper configured Firewall the Risk can be overseen. But this is what you have to decide with your customer. Under normal circumstances the design Looks fine and manageable.

    Kind Regards

    Thomas

    Thursday, April 2, 2015 9:25 AM
  • I would indeed consider having at least 2 dns servers that forward to the outside dns server(s).

    all other dns servers should contain these 2 servers to forward to.

    opening up port 53 to everywere might make sense if the dns server has to do a recursive lookup (ie if no forwarder is available). It seems the current design was to have that as a fallback on all dc's. It is not need if you have reliable forwarders (ie not from one ISP)

    There is not much security impact from opening port 53 from your server towards the internet. the reverse route should be closed (unless you want to host a public zone, but in that case you will have to do more than this for a design ;) )


    MCP/MCSA/MCTS/MCITP

    Thursday, April 2, 2015 9:27 AM

All replies

  • Hi,

    you can install 2 more may be Unix related DNS Server to prevent the "direct" connect. But if you have a normal company you have already 2 external DNS Server. The DNS Server of your ISP. With a proper configured Firewall the Risk can be overseen. But this is what you have to decide with your customer. Under normal circumstances the design Looks fine and manageable.

    Kind Regards

    Thomas

    Thursday, April 2, 2015 9:25 AM
  • I would indeed consider having at least 2 dns servers that forward to the outside dns server(s).

    all other dns servers should contain these 2 servers to forward to.

    opening up port 53 to everywere might make sense if the dns server has to do a recursive lookup (ie if no forwarder is available). It seems the current design was to have that as a fallback on all dc's. It is not need if you have reliable forwarders (ie not from one ISP)

    There is not much security impact from opening port 53 from your server towards the internet. the reverse route should be closed (unless you want to host a public zone, but in that case you will have to do more than this for a design ;) )


    MCP/MCSA/MCTS/MCITP

    Thursday, April 2, 2015 9:27 AM