3

We have a mail gateway running in a DMZ, which is a relay for our internal mail server holding all the mail. We have come accross the need to use DNS from the DMZ to resolve names of internal services (such as the internal mail server, etc.).

Should we allow DNS queries from the DMZ to LAN? This would result in a serious breach in case some of the DMZ servers were compromised. On the other hand, not allowing the DNS queries makes us much less flexible.

I came accross the concept of a split-brain DNS, which is, I assume, what would solve the problem, but I do not quite understand how it can be accomplished in a Windows AD integrated environment.

David
  • 387
  • 1
  • 7
  • 16
  • `This would result in a serious breach in case some of the DMZ servers were compromised.` - How so? You'd be allowing only DNS traffic, right? What type of breaches do you envision? Do you have specific examples? – joeqwerty Aug 05 '15 at 18:51
  • Right, but exposing structure of the whole network by allowing any DNS queries is a nightmare. – David Aug 05 '15 at 19:07
  • `exposing structure of the whole network by allowing any DNS queries is a nightmare` - What do you mean by that? How is the structure of the whole network exposed? Do you mean exposing the DNS records? Mind you, I'm not faulting you for thinking of security, I'm only questioning your vague and nebulous statement of `This would result in a serious breach in case some of the DMZ servers were compromised` without citing any specific scenarios, exploits or attack vectors. – joeqwerty Aug 05 '15 at 19:52
  • You indeed have a point here. It just *seemed* unsafe to allow an intruder to query for anything, and that's vague. Still I kind of think that if I compromised a remote DMZ computer, I would probably try to query for commonly used names in the network, would query for the MX, all service records, etc. That would theoretically allow me to penetrate the attacked network faster, as I could choose from a range of services viable for attack. That means more time for me as the attacker and less time for the attacked to stop me. But if, in your experience, this is pointless, I'd like to know. Thanks! – David Aug 05 '15 at 20:04
  • Not pointless at all. I'm just trying to get a feel for your specific concerns. – joeqwerty Aug 05 '15 at 20:15

3 Answers3

2

Complete the hosts file on the mail gateway server with the servers you would have wanted to resolve by DNS.

albal
  • 201
  • 3
  • 10
  • But that's keeping the names and addresses in two places. I was hoping for a better solution, we already talked about this. But I am thankful for this idea anyway! – David Aug 05 '15 at 19:12
1

So after discussing for quite a while we wound up using the internal server from the DMZ. In the long run, this seems much easier and flexible to manage and given the compromises one has to made; eg. to allow communication from the DMZ to LAN anyway, this does not seem as such evil anymore.

Thanks for everyone's help!

David
  • 387
  • 1
  • 7
  • 16
0

This sort of situation is why you should try to avoid creating dependencies on the AD integrated domains outside of the security zone they occupy. Without that demark, you're stuck forwarding queries into that security zone and that makes security people cranky.

If you want to avoid this problem, you're going to need to spin up additional authoritative DNS infrastructure that is separate from the AD integrated domains, and not in the same security zone as the DCs. Create a new internally routed domain for this purpose. DNS recursors from other security zones should be allowed to consume data from these servers, making this new DNS namespace available throughout your company. (or at least wherever you need it)

Andrew B
  • 32,588
  • 12
  • 93
  • 131