- Posts: 1302
- Thank you received: 0
Possible DNS issue
19 years 3 months ago #9437
by DaLight
Replied by DaLight on topic Re: Possible DNS issue
Oops!!!
I definitely agree that having the same domain name for your internal network as your real internet domain is the root of the problem.
By the way, I found this link which I think addresses your problem. ( homepages.tesco.net/~J.deBoynePollard/FG...on-server-names.html )
No, actually, I mean both ways. :oops: I know this is not a good idea, which led us to our next step.
I definitely agree that having the same domain name for your internal network as your real internet domain is the root of the problem.
By the way, I found this link which I think addresses your problem. ( homepages.tesco.net/~J.deBoynePollard/FG...on-server-names.html )
19 years 3 months ago #9438
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Possible DNS issue
I've just read the posts after my last answer and it seems like things are getting a bit messy.
While you seem to have resolved the problem temporarily, you might have created another big one waiting to bite you in the near future. Opening your private DNS server to the public, without a proper DMZ zone is simply a suicide mission!!
Under no circumstance should one open his DNS server, or any local service directly to the Internet - it just doesn't work that way from a security prospective. Using the proper hacking tools, your DNS server can be fooled to provide incorrect information to all your clients, redirecting them to sites which contain malicious code and have you guys running like headless chooks!
A quick search on the available DNS server attacks and hacks will give you the big picture.
The correct way would be to create a DMZ zone and place a DNS server there, and then point all clients to it (internal and external), rather than forwarding a port directly to the server which also happens to be fully exposed to the Internal network!
Secondly, I'm a bit lost with the VPN offices, their configuration and your internal network settings after the changes you have mentioned. If possible, can you create a simple diagram (no ip addresses required - or simply use fake ones) showing the headquarters, main DHCP/DNS services and remote offices along with their DHCP/DNS servers and settings ?
Lastly, using the same domain internally and externally is a no-go-deal. If you must have one DNS server to serve internal and external clients, this must be done with care. One way is to create sub-domains which will only be accessible by your private network, effectively hiding them from the public - but there are also other methods to achieve the security level required and get the job done.
As you can see, there are quite a few points you need to take care of and I suggest someone starts making decisions and getting things fixed, otherwise the problem will never get resolved correctly!
Cheers,
While you seem to have resolved the problem temporarily, you might have created another big one waiting to bite you in the near future. Opening your private DNS server to the public, without a proper DMZ zone is simply a suicide mission!!
Under no circumstance should one open his DNS server, or any local service directly to the Internet - it just doesn't work that way from a security prospective. Using the proper hacking tools, your DNS server can be fooled to provide incorrect information to all your clients, redirecting them to sites which contain malicious code and have you guys running like headless chooks!
A quick search on the available DNS server attacks and hacks will give you the big picture.
The correct way would be to create a DMZ zone and place a DNS server there, and then point all clients to it (internal and external), rather than forwarding a port directly to the server which also happens to be fully exposed to the Internal network!
Secondly, I'm a bit lost with the VPN offices, their configuration and your internal network settings after the changes you have mentioned. If possible, can you create a simple diagram (no ip addresses required - or simply use fake ones) showing the headquarters, main DHCP/DNS services and remote offices along with their DHCP/DNS servers and settings ?
Lastly, using the same domain internally and externally is a no-go-deal. If you must have one DNS server to serve internal and external clients, this must be done with care. One way is to create sub-domains which will only be accessible by your private network, effectively hiding them from the public - but there are also other methods to achieve the security level required and get the job done.
As you can see, there are quite a few points you need to take care of and I suggest someone starts making decisions and getting things fixed, otherwise the problem will never get resolved correctly!
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.120 seconds