cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


275
Views
0
Helpful
2
Replies
Beginner

DNS in a DMZ

Hello,

I have a cisco asa 5545, and have been tasked with creating a DMZ for our public facing applications.  This far I have created a new vlan/subnet and interface, and now my question is about DNS for the applications we move into the DMZ.  Currently the DNS is done by windows 2012 server r2 machine on the "inside" network.  So my question is how should I setup DNS for the apps in the DNS via the ASA?  Do I need to put another DNS server in the DMZ subnet/zone?  Or can I use ACL's to access the DNS or the inside network?, but does that nullify the security zone if the Apps in the DMZ are access the the DNS from the inside network? Or should I be using some external public DNS?  Just trying to figure out the best practice or application for this situation..

 

Thanks in advance.

Everyone's tags (2)
2 REPLIES 2
VIP Mentor

Re: DNS in a DMZ

All options are valid and can be used:

  • external DMZ: Less flexible to return internal IPs for external IPs of the ASA. But if the server is not accessing any other company resources on the ASA, it could be fine.
  • internal DNS: You open up the internal network for a service which is not desired in a high-security environment.
  • new DNS in a services-DMZ: Most secure and most flexible, but you have to manage additional resources. Still, this is the way I would always prefer.
Beginner

Re: DNS in a DMZ

Hi Karsten,

 

Thanks for you reply, a few questions on these options:

 

  • external vs internal DNS: Less flexible to return internal IPs for external IPs of the ASA. But if the server is not accessing any other company resources on the ASA, it could be fine.

- So if I was to use say google's DNS 8.8.8.8, 8.8.4.4 what would I need to config on ASA DMZ security zone (50) side? Since the server will need to be accessible via the public inet for the GUI (0), but it will also need access to some LAN resources as well. IE: it does asset scan for devices on the inside (100) network side.  So would it be more applicable in this situation to use the Local inside DNS and poke a whole via UDP port 53 for the DNS queries? I know this is not desired and is kind of defeatist cause now I am accessing resources on the Inside network which the whole point of the DMZ is to avoid, but Im trying to figure out the best way to do this for my scenario. Any suggestions you have are appreciated here..:)

 

  • new DNS in a services-DMZ: Most secure and most flexible, but you have to manage additional resources. Still, this is the way I would always prefer.

-I would like to do it this way as well, but we dont have the resources right now.

Everyone's tags (2)