Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: DNS server (forwarder) in DMZ - Necessary

3 views
Skip to first unread message

Jonathan de Boyne Pollard

unread,
Jan 16, 2010, 4:38:48 PM1/16/10
to

Now I'm trying to catch up and are trying to find some information regarding this, but I'm not able to find information from any source explaining about this.

That's probably because it's not as widely recommended as you thought it to be.  In part, it's based upon a misunderstanding of how DNS works, exemplified by what you wrote in a later post:

But in generel I don't think that servers should act as clients and indeed not towards untrusted networks like the Internet...

The provision of DNS services involves DNS servers acting as clients. It's a fundamental part of the DNS.  The DNS client library in your applications queries a proxy DNS server, which in turn communicates via back-end queries, where it acts as a client, with content DNS servers on Internet at large.  It does this as part of query resolution, putting together all of the various portions of the overall DNS database published by the separate content DNS servers, and forming an actual answer to be returned to the original client who sent the front-end query.

So my question here is. Will it still be considered a security enhancement with this setup, even if you are not hosting the public dns yourself, or will it be kind of overkill with an additional hop from the DMZ dns server to for instance the ISPs dns server?

Here's your misunderstanding in action.  In the usual case, there is no hop from the resolving proxy DNS server to your ISP's server.  The resolving proxy DNS server talks directly to content DNS servers located on the rest of Internet at large.  Having a forwarding proxy DNS server is not really the usual case.

There are various reasons for having a forwarding proxy DNS server (and various reasons for not having one).  In the circumstances that you describe here, many of them relate to the size and shape of hole that one knocks into one's firewall for DNS.  A bigger hole is required for a resolving proxy DNS server than for a forwarding proxy DNS server.  But this particular decision criterion does not apply to the proxy DNS server that is outside of one's firewall, only to the proxy DNS servers that are inside one's firewall.  Usually there's no such reason for having a proxy DNS server outside of one's firewall be a forwarding proxy, and the other reasons for having a forwarding proxy in that location are outweighed by the reasons for having a resolving proxy there. 

0 new messages