I have a cisco asa 5545, and have been tasked with creating a DMZ for our public facing applications. This far I have created a new vlan/subnet and interface, and now my question is about DNS for the applications we move into the DMZ. Currently the DNS is done by windows 2012 server r2 machine on the "inside" network. So my question is how should I setup DNS for the apps in the DNS via the ASA? Do I need to put another DNS server in the DMZ subnet/zone? Or can I use ACL's to access the DNS or the inside network?, but does that nullify the security zone if the Apps in the DMZ are access the the DNS from the inside network? Or should I be using some external public DNS? Just trying to figure out the best practice or application for this situation..
Thanks in advance.
All options are valid and can be used:
Thanks for you reply, a few questions on these options:
- So if I was to use say google's DNS 220.127.116.11, 18.104.22.168 what would I need to config on ASA DMZ security zone (50) side? Since the server will need to be accessible via the public inet for the GUI (0), but it will also need access to some LAN resources as well. IE: it does asset scan for devices on the inside (100) network side. So would it be more applicable in this situation to use the Local inside DNS and poke a whole via UDP port 53 for the DNS queries? I know this is not desired and is kind of defeatist cause now I am accessing resources on the Inside network which the whole point of the DMZ is to avoid, but Im trying to figure out the best way to do this for my scenario. Any suggestions you have are appreciated here..:)
-I would like to do it this way as well, but we dont have the resources right now.