I have a network set up with two VLANs. Each VLAN connects to a common 1721 router. Neither of these VLANs can speak to each other (via subinterfaces and access lists). Now with the help of people here, I've figured out how to handle DHCP on the second VLAN via the router, but now I've realized another problem. My *DNS* server is also on the first VLAN (which the seond VLAN isn't allowed to speak to). Are there any suggestions about how I can resolve this little dilemma?
I'm hesitant to punch a hole through the ACLs is the only thing. The separation of the two VLANs is something sort of required by law. And how easy/difficult would it be to do that? Would it be securely isolated?
Obviously you will have to start routing between the two subnets, if you want to use the DNS in subnet 1 from subnet 2. Cisco routers doesnt run DNS server, so you cannot use it to resolves names. You can do a controlled routing via access-lists. All you need to do is to allow port 53 (DNS) for DNS queries to pass between the two subnets.
Now on the DHCP scope you define for subnet 2, you can specify the DNS as DNS server in subnet 1.
Since you would already allow DNS traffic to the DNS service from external networks (in order to be able to resolve DNS queries), punching a hole to let through an internal network will not really create a security hole that is not there already.
Just my 2 cents, but if you are blocking the two VLANs from talking to each other for security (OK - I know it's not much security, but it's some), then why not just add another VLAN and put just your DNS server in it? Then let both the other subnets only talk to the DNS subnet - sort of a DNS DMZ, if you will.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
