Re: DNS design questions

From: Travis Montgomery <tmontgomery_removethis_@xxxxxxxx>
Date: Thu, 31 Aug 2006 12:57:28 -0400

Thanks Herb, I appreciate the advice! I'll have a chat with our security folks and see what they want to do.

Much appreciated.

Travis

Herb Martin wrote:

"Travis Montgomery" <tmontgomery_removethis_@xxxxxxxx> wrote in message news:e1OzBePzGHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
> That will work, but you are still not considering just putting the
public zone back at the Registrar where it most effectively belongs
for most companies.

We're a medium size college campus with about 10,000 users (and growing rapidly) and the CIO wants to have DNS locally housed.

The realities of being a University computer infrastructure
may modify some of the normal "best practices".

The main reason is that you (likely) have essentially a semi-open
physical access to your infrastructure. This is similar to the
problem businesses have started experiencing due to wireless
access but much more pervasive since likely you cannot easily
use authentication at the physical or datalink level for access
to your hubs and switches. Likely anyone can "walk in" to the
University and perhaps "plugin" to an Ethernet connection.

Running your own Public DNS is not a "bad" thing but more
trouble than it is worth for most with a small presence on the
Internet.

A commercial enteprise with 10,000 users would likely have
only a hand full to a few dozen max "Internet servers" while
a University may have such public access for EVERY major
school or college within that enterprise.

Maintaining such elaborated DNS resource records MAY be
easier if you maintain the DNS internally, and you may have
the 24/7 support needed to keep it running without failure or
outage.

With the way caching works, there is almost no advantage to
have the external zone in AD on your internal servers -- and for
no advantage you have to do the extra setup including letting
(vulnerable) external servers maintain contact with internal
(sensitive) DCs.

I'm not sure I see the "extra setup" as being an issue, I just turn DNS on and tell it to pull in the zone right? Also, how big of a security issue really is allowing the "external" DNS server pull a zone transfer from an internal one? I'm really asking for my own education, I just have a hard time seeing why that is an issue.

The real issue here is "defense in depth" strategies. By definition
your "Public DNS Server" is open to public attack by every hacker
in the world PLUS every student (or others) who works from inside
your network.

Such publicly exposed servers are typically best considered as
"sacrificial hosts" (see some good book on 'firewall' design for
more details but note that to those who design 'firewalls' defenses,
firewall are most than just hardware OR software but the ENTIRE
set of machines and software that runs from the external screen to
the internal screen and all of the protections for those public and
semi-publice machines.)

Sacrificial Hosts are those (exposed) servers which you can afford
to LOSE because you have full backups and can easily re-create them
if they are compromised AND which have limited sensitive data
locally.

Now this doesn't mean you would be 'happy' to lose them, just that
you think about them differently than you would servers which you
really cannot (easily) afford to lose to the control of a hacker (these
are typically known as "Bastion Hosts".)

For every Sacrificial Host that is allowed to contact either a Bastion
or Internally secured server you run additional risk.

Imagine the hacker that compromises and can work from the DNS
server: It is now only ONE STEP from there to the DC if you allow
the DNS to talk to that DC directly.

Is this (always) a terrible security risk? No, of course not, but whenever
I am given a way to limit exposure and decrease the "attack surface"
I try to recommend taking that path.

Security is something that is best handled from "grant no access" UNLESS
it is NECESSARY, rather than "open everything, and secure what is
important."

References:
- DNS design questions
  - From: Travis Montgomery
- Re: DNS design questions
  - From: Herb Martin
- Re: DNS design questions
  - From: Travis Montgomery
- Re: DNS design questions
  - From: Herb Martin
- Re: DNS design questions
  - From: Travis Montgomery
- Re: DNS design questions
  - From: Herb Martin

Prev by Date: Re: DNS doesn't work with neither forwardes nor root servers
Next by Date: Re: DNS doesn't work with neither forwardes nor root servers
Previous by thread: Re: DNS design questions
Next by thread: Re: Removing Domain Machine Account
Index(es):
- Date
- Thread

Relevant Pages

Getting around DNS security hole
... find out if your ISP has a DNS security problem. ... basic Internet address system, known as the Domain Name System, is ...
(soc.retirement)
RE: IIS6 Security and other web servers
... IIS6 Security and other web servers ... I know of no Windows architecture that is exposed directly to ... I know of a number of LAMP-type servers that are ... exposed directly to the Internet with no intervening layers. ...
(Security-Basics)
Re: How Secure is ".Local?"
... > dozen servers and ~500 websites/public domains. ... Shadow DNS ... Is your DC on the Internet? ... >>It is not going to provide your zone info to anyone ...
(microsoft.public.win2000.dns)
RE: New Forest - Old Domain - Plus DMZ - Help Please
... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
(microsoft.public.windows.server.migration)
Re: Active Directory and child DNS Zone
... > Our internal and external DNS domains are both the same - mycompany.com. ... > hosts our external domain and it only contains entries for our web servers ... >>> but the test bed isn't a true picture (no internet access to test VPN, ...
(microsoft.public.windows.server.dns)