topic External DNS Question in Network Security

External DNS Question

robert.russom — Tue, 12 Mar 2019 07:14:20 GMT

We control our external DNS to the internet, and currently they sit outside of the firewall on public IPs. It's time to upgrade and I want to bring them inside the ASA and NAT them.

Maybe I'm looking at this too hard, but is it as simple as NAT'ing the existing public IPs to the new internal servers in the DMZ and allowing port 53 traffic through?

Thanks!

Sounds about right.

jj27 — Wed, 03 Feb 2016 17:08:46 GMT

Sounds about right.

In addition to Johnson's

mvsheik123 — Thu, 04 Feb 2016 03:26:24 GMT

In addition to Johnson's comment, couple of other notes..

1. As these servers need to initiate DNS queries to Internet, make sure to allow DNS traffic only to Internet from DMZ (sourced from server pvt IPs).

2. You may be aware of this but you need to allow both tcp & udp for DNS traffic.

3. Make sure to block any connection initiated from these servers to your Internal IPs (using ACLs on DMZ).

hth

Thanks all!

robert.russom — Thu, 04 Feb 2016 15:18:13 GMT

Thanks all!

#3... I still need to allow port 53 to/from my DCs for DNS forwarding, correct?

Hi Robert,

mvsheik123 — Tue, 09 Feb 2016 03:45:27 GMT

Hi Robert,

If your DCs are inside and using DMZ servers as forwarders, I don't see a need to open any ports. If your ASA version is pre 8.3 , you need static (Inside, DMZ) DCIP DCIP mask x.x.x.x and for 8.3 and after- the communication allowed by config.

hth

Thanks guys! I got the crud

robert.russom — Fri, 12 Feb 2016 19:08:20 GMT

Thanks guys! I got the crud and forgot to come back on here and update.