Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
6
Replies

Multiple DMZ's and DNS Servers

b.joanis
Level 1
Level 1

‎10-24-2003 04:49 AM - edited ‎03-09-2019 05:16 AM

We recently went froma single port PIX to a multiple port and DMZ setup. I am trying to figure out the best way from a topology setup to place DNS servers with in this design. Would one place a DNS server in each zone and perform zone transfers or would a single DNS server located in one DMZ work. A concern I have with the single DNS server would be extra latency and processing on the PIX.

Thanks,

Brian

Labels:
0 Helpful
6 Replies 6

nkhawaja
Cisco Employee
Cisco Employee

‎10-24-2003 03:33 PM

Hi,

Best is to have two separate DNS servers, one Public accessible (in DMZ) and other for your private network (in Inside). Zone Transfer should not be done between the two if one is for public address and one for private addresses.

You can also have only one DNS server on the DMZ. Or one in the DMZ and one inside, doing Zone transfer.

But you need to tell who these DNS Servers will be serving?

Thanks

Nadeem

0 Helpful

b.joanis
Level 1
Level 1
In response to nkhawaja

‎10-27-2003 06:17 AM

Nadeem,

We are actually running a total of four DMZ's, design is modeled after the SAFE design. One DMZ is configured for Web servers ect (public access), another for application/Database servers, the third is an old legacy DMZ that provide's a seperate campus network that we attach workstations on for interent access and the fourth is the Campus connection.

So from what I gathered from your response and the other individuals it would be best to treat each DMZ as a seperate network with it's own associated DNS server. This would provide the best security and scalability.

Thanks,

Brian

0 Helpful

b.joanis
Level 1
Level 1
In response to nkhawaja

‎10-27-2003 02:40 PM

We are actually running a total of four DMZ's, design is modeled after the SAFE design. One DMZ is configured for Web servers ect (public access), another for application/Database servers, the third is an old legacy DMZ that provide's a seperate campus network that we attach workstations on for interent access and the fourth is the Campus connection.

So from what I gathered from your response and the other individuals it would be best to treat each DMZ as a seperate network with it's own associated DNS server. This would provide the best security and scalability.

What is the best way to provide DNS information across zones??

Thanks,

Brian

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to b.joanis

‎10-27-2003 04:28 PM

Hi,

It does not matter how many DMZs you have, bascially your DNS servers should be separated into two parts

1- serving for private IPs for your internal network

2- Serving for public IPs for internal+external network.

Thanks

0 Helpful

b.joanis
Level 1
Level 1
In response to nkhawaja

‎10-28-2003 05:33 AM

Hello,

Thank you, that is what I though now I have to convince the executive group. That is a little more complicated then the technology itself, sorta the layer 8 in the OSI model.

0 Helpful

lwierenga
Level 1
Level 1

‎10-24-2003 07:45 PM

Nadeem is exactly correct. Also, there will not be any latency/impact on your PIX.

0 Helpful
Customers Also Viewed These Support Documents