Re: Forwarding or Stub Zones?

From: huff-n-puff (huffnpuff_at_discussions.microsoft.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 16:13:01 -0700

My DMZ has approx 30 servers providing various services.
We have 3 DNS servers on the DMZ providing approx 70 DNS zones to the
internet.
The servers on the DMZ do not query our ISP they query the DNS servers on
our DMZ.

Just to clarify your suggestion.

Set all the servers on the DMZ to query the LAN DNS servers which would in
turn forward the request to the DNS servers on the DMZ then pass the response
back to the DNS servers on the LAN which would in turn pass the response back
to the server on the DMZ.....

Would that not create a hell of a lot of traffic on our firewall?

"Ace Fekay [MVP]" wrote:

> In news:F3DA7D72-5DA3-40B1-9858-7E69EE8878F5@microsoft.com,
> huff-n-puff <huffnpuff@discussions.microsoft.com> made a post then I
> commented below
> > We host our own domains so using the ISP isn't an option.
> >
> > Thanks for the quick response though.
> >
> > M
> >
>
>
> I believe what Dan is saying he configured all his DMZ machines to ONLY use
> the internal DNS servers, and not your external or ISP's DNS. This way they
> all resolve the internal stuff. If they need external resolution, assuming
> your internal DNS are configured with forwarding, they will still resolve
> outside names.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>

Relevant Pages

  • Re: DNS Best Practices
    ... > Windows NT enviroment but will soon be embarking on Active Directory 2003. ... > this DMZ and all are isolated from the internal network. ... Forward from your internal AD DNS servers to ... (or straight to the Internet Root servers). ...
    (microsoft.public.windows.server.general)
  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... Be sure to have 53 TCP blocked which is used for zone transfers. ... limit which internal computers have reverse lookups entries if this is ... and tighten access control lists on the DNS servers. ... > requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.misc)
  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... Be sure to have 53 TCP blocked which is used for zone transfers. ... limit which internal computers have reverse lookups entries if this is ... and tighten access control lists on the DNS servers. ... > requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.firewalls)
  • Re: DNS traffic from DMZ to internal network - Is it vulnerable?
    ... > Be sure to have 53 TCP blocked which is used for zone transfers. ... > limit which internal computers have reverse lookups entries if this is ... > and tighten access control lists on the DNS servers. ... >> requirement for DNS reverse lookup for a server in the DMZ. ...
    (comp.security.misc)
  • Re: Conditional recursive DNS - is it possible?
    ... >working as external SMTP server and DNS server for itself, DMZ and internal ... >zone myself on my DMZ DNS servers. ... >for external (Internet) DNS servers to prevent exessive traffic and possible ...
    (microsoft.public.windows.server.dns)