-2

I am a network administrator and my windows support partner recommended to open active directory to public internet. reason is dns is configured on active directory with same server. But I never done this previously and he asked to update all servers directly from internet. but we have wsus and working fine.

have you any idea about this recommendation?

peterh
  • 4,953
  • 13
  • 30
  • 44
serverAdmin123
  • 230
  • 3
  • 18
  • 3
    No, you should not do this. What do you mean by this statement `reason is dns is configured on active directory with same server.`? – joeqwerty Feb 21 '19 at 13:27
  • dns has been configured on same server. Both Active Directory and DNS. – serverAdmin123 Feb 22 '19 at 03:23
  • 1
    As @Joeqwerty sort of said, It is strongly not recommended to do this if you simply MUST expose that DNS do so with a standalone DNS server and some reverse proxy service back to it. Each domain controller is a container for your organization's most privileged accounts, exposing it directly to the internet would be to put your organization at risk. – Kyp Feb 24 '19 at 15:51
  • While MIT Kerberos alone was designed to be secure on the global Internet, Microsoft's implementation is its own, and AD includes many other components which may or may not be safe to operate outside a firewalled network. Don't do it. – Michael Hampton Feb 26 '19 at 04:14
  • Maybe we're all misunderstanding each other. If the OP has blocked all inbound AND outbound internet traffic, then the AD machine would be unable to query the internet to act as a DNS forwarder for outside domains like www.google.com. Their tech may have been suggesting that the AD server be allowed to query the internet so it can do DNS queries for outside domains for its internal client machines. But their WSUS is supposedly working... so something doesn't fit right with this interpretation of the question either. – BeowulfNode42 Jun 10 '19 at 07:46

1 Answers1

1

No no no no no no no.

As others have said, if you need to do external DNS, create a separate server and host the required records on that behind a proxy.

Or consider creating a separate namespace for whatever it is that needs inbound connections, and have that hosted by your upstream provider (if your internal domain is a .com, use a .net for external stuff, or some other name variation). What is it that needs external DNS records? And access to internal resources? Managed devices?

LeeM
  • 1,388
  • 9
  • 14
  • thanks for your response. but when i blocked internet connectivity for my active directory no users are able to access internet? – serverAdmin123 Feb 26 '19 at 05:36
  • Um, what are you talking about? If you're talking about the fact external DNS lookups are failing, who is your upstream DNS provider? Put some DNS proxy servers in your perimeter network (not in the same network as your domain) and allow them port 53 to your upstream DNS. Configure them to forward queries to upstream DNS. For your domain controllers, configure their DNS forwarders to point to the DNS proxies. Your clients should be using a WEB proxy as well! – LeeM Feb 26 '19 at 08:26
  • thank you so much. for your answer, our dns provider is local domain provider. – serverAdmin123 Feb 26 '19 at 08:32