Home page logo

basics logo Security Basics mailing list archives

RE: Securing DNS Server
From: "Naman Latif" <naman.latif () inamed com>
Date: Mon, 4 Nov 2002 12:58:42 -0800

You are right for most of your assumptions. We do have an internal DNS
server, which is Primary for all the users. No user has access to the
DMZ DNS Server. Also the Internal DNS server is NOT accessible from
However the internal DNS server has the DMZ DNS server as its forwarder.
So if an internal user query cannot be resolved by the internal DNS
server, it is forwarded to the DMZ DNS Server.This is where my questions
1. If the DMZ DNS server needs to contact some external (root)server for
resolving the query, then how do I control that ?

Regards \\ Naman

-----Original Message-----
From: Michael Vaughan [mailto:list () predator-hunter com] 
Sent: Monday, November 04, 2002 12:50 PM
To: Naman Latif; 'security-basics'
Subject: RE: Securing DNS Server

Hash: SHA1


If I am not mistaken, the DNS server in the DMZ should be a SECONDARY
IE: a non-writable database.  Furthermore, the DNS server on 
your internal network should be the primary giving ONLY 
appropriate information regarding the location of external 
services. IE: not allowing DNS zone transfers except from 
specific servers...etc. 
Essentially, the external DMZ server services external 
requests for resolving services offered in the DMZ ONLY and 
the internal DNS server (Primary) offers services to internal 
clients for resolving outside sites & services.  My question 
is why would you be allowing ANY outgoing connections from 
your DMZ DNS server to external root servers other than what 
is on your site? If you have other services located at other 
locations...you can add those to the DNS manually or through 
zone transfer. I would propose that the DMZ DNS server should 
ONLY resolve your DMZ services and no one else's. IE: Why 
would I want someone using my DNS server externally to 
resolve yahoo? Basically I am saying that if the service can 
not be resolved externally to your site(s) then it should 
fail. Your internal DNS server would service all of your 
internal clients and would not be accessible from external 
sources period.  There are notable exceptions depending on 
your requirements but am I missing the point of your 
question?  I am assuming you have a DMZ and you are in NO WAY 
allowing anyone to connect to your internal network directly. 
 Is that correct?

- -Michael Vaughan
mvaughan () predator-hunter com

The information contained in this message may contain 
privileged and confidential information and is intended only 
for the internal company use of the individual or entity 
named above.  If the reader of this message is not the 
intended recipient, or the employee or agent responsible to 
deliver it to the intended recipient, you are hereby notified 
that any examination, distribution or copying of this 
communication is strictly prohibited.  Furthermore, any and 
all recipients of this message are prohibited from engaging 
in the unauthorized dissemination of the information 
contained herein to
person(s) outside the company.   If you have received this
communication in error, please notify sender immediately. 

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Friday, November 01, 2002 7:31 PM
To: security-basics
Subject: Securing DNS Server

I am trying to restrict Access to our DNS Server from Outside 
using a Cisco IOS Firewall. Initially we only had Port 53 
Access to this Server from outside. But it turned out that 
when our DNS Server has to query a root name server, it sends 
out a UDP query with a random higher (>1023) source port 
number, which means that I will have to open >1023 Ports 
access to this server from outside. In this situtation How do 
I protect my DNS server from outside attacks on higher port 
numbers ? Is there a range of Source Port numbers that a BIND 
DNS server would use, when querying outside servers ?

Version: PGP 7.0.4


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]