Home page logo

basics logo Security Basics mailing list archives

RE : Securing DNS Server
From: Bourque Daniel <Daniel.Bourque () loto-quebec com>
Date: Tue, 5 Nov 2002 13:00:03 -0500

Your external DNS should not be a secondary of your internal server.  It
should be a separate DNS with only the informations about your DMZ servers
and MX record.

You should work in split DNS mode.  Your internal DNS have the informations
about the internal AND DMZ server.  Your DMZ DNS only know about your DMZ

Why your DMZ need access to the root DNS?  Because your mail server need to
know what my e-mail server address is....

-----Message d'origine-----
De : Michael Vaughan [mailto:list () predator-hunter com] 
Envoyé : 4 novembre, 2002 15:50
À : 'Naman Latif'; 'security-basics'
Objet : RE: Securing DNS Server

Hash: SHA1


If I am not mistaken, the DNS server in the DMZ should be a SECONDARY
IE: a non-writable database.  Furthermore, the DNS server on your internal
network should be the primary giving ONLY appropriate information regarding
the location of external services. IE: not allowing DNS zone transfers
except from specific servers...etc. 
Essentially, the external DMZ server services external requests for
resolving services offered in the DMZ ONLY and the internal DNS server
(Primary) offers services to internal clients for resolving outside sites &
services.  My question is why would you be allowing ANY outgoing connections
from your DMZ DNS server to external root servers other than what is on your
site? If you have other services located at other locations...you can add
those to the DNS manually or through zone transfer. I would propose that the
DMZ DNS server should ONLY resolve your DMZ services and no one else's. IE:
Why would I want someone using my DNS server externally to resolve yahoo?
Basically I am saying that if the service can not be resolved externally to
your site(s) then it should fail. Your internal DNS server would service all
of your internal clients and would not be accessible from external sources
period.  There are notable exceptions depending on your requirements but am
I missing the point of your question?  I am assuming you have a DMZ and you
are in NO WAY allowing anyone to connect to your internal network directly.
Is that correct?

- -Michael Vaughan
mvaughan () predator-hunter com

The information contained in this message may contain privileged and
confidential information and is intended only for the internal company use
of the individual or entity named above.  If the reader of this message is
not the intended recipient, or the employee or agent responsible to deliver
it to the intended recipient, you are hereby notified that any examination,
distribution or copying of this communication is strictly prohibited.
Furthermore, any and all recipients of this message are prohibited from
engaging in the unauthorized dissemination of the information contained
herein to
person(s) outside the company.   If you have received this
communication in error, please notify sender immediately. 

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Friday, November 01, 2002 7:31 PM
To: security-basics
Subject: Securing DNS Server

I am trying to restrict Access to our DNS Server from Outside using a Cisco
IOS Firewall. Initially we only had Port 53 Access to this Server from
outside. But it turned out that when our DNS Server has to query a root name
server, it sends out a UDP query with a random higher (>1023) source port
number, which means that I will have to open >1023 Ports access to this
server from outside. In this situtation How do I protect my DNS server from
outside attacks on higher port numbers ? Is there a range of Source Port
numbers that a BIND DNS server would use, when querying outside servers ?

Version: PGP 7.0.4


  By Date           By Thread  

Current thread:
  • RE : Securing DNS Server Bourque Daniel (Nov 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]