DNS Architecture Setup Best Practices

YipYip

Firstly I am a software dev so pardon my ignorance

I am wanting to setup my internal lan xxx.home or xxx.local and also have a authoritative domain via dynamic dns www.mycompany.com going to a DMZ or a NAT forwarded solution.

I will be having 2 external Webservices servicing about 500 clients as a POC

Are DMZ's (2 firewalls filtering hardend servers exposed)  still the standard for security or should I just NAT forward with 1 firewall ?

I have pfsense in place and so far have been using unbound for DNS & DHCP via 2 bridged Cable modems.

What are the best practices for setting up the internal lan. I.E using a windows DNS like MaraDNS on a VM ?

Is setting up Bind for the authoritative domain on the pfsense box a best practices from a security and administration  point of view ?

Or should this service be sitting on a seperate box, and is BIND still the defacto standard ?

Also realistically BIND on unbuntu distro as BIND on Windows doe the external domain would be a security risk ?

Thanks in Advance

YipYip

johnpoz

So you want to run your own authoritative ns to the public internet?  Of your cable modem connections?  To 1 box running bind?  That is really a BAD idea..  If you want use bind to be your local ns for your local domain sure.

But anything to do with the public why not just let an outside service do that for you.  Be it your registrars dns service, or free like hurricane electric or a paid service like dnsmadeeasy.  Hosting your own dns to the public is just bad bad idea, especially if your not familiar with dns.

As soon as you become familiar with how dns works, you will understand that hosting your own is rare that it makes sense to host your own.

KOM

Funny you should mention that.  My company owns a couple of hundred domains (don't ask) and I've been serving their IPs for years locally.  Only just this year did I convince management to move them to our registrar's DNS.  138 are already moved, 100 or so to go.

YipYip

@johnpoz:

So you want to run your own authoritative ns to the public internet?  Of your cable modem connections?  To 1 box running bind?  That is really a BAD idea..  If you want use bind to be your local ns for your local domain sure.

But anything to do with the public why not just let an outside service do that for you.  Be it your registrars dns service, or free like hurricane electric or a paid service like dnsmadeeasy.  Hosting your own dns to the public is just bad bad idea, especially if your not familiar with dns.

As soon as you become familiar with how dns works, you will understand that hosting your own is rare that it makes sense to host your own.

Thanks for that I checked out dnsmadeeasy and I suddenly feel a lot better :D

So thats the external domain taken care of

Are DMZ's still the go ?

I need to expose 2 micro services/web services and looking for a best practices

johnpoz

Sure you can put them in a segment that is firewalled from your normal segment.  You can call that a dmz if you want, but it just becomes a firewalled segment would be a better term.  You then port forward the ports you need to be sent to these servers from the public internet.

I have been dealing with dns for many years, and its really a hobby/passion of mine as well.  Just such a amazing thing that someone on the other side of the planet can create a record and you can look it up instantly after he makes the entry, etc.

From a cost/security point of view it just makes no sense to host your own to the public internet.  Internally sure!!  But to the public - no thank you, let the guys that have networks designed just for that, and all they do for their bread and butter is provide dns, etc.

I would love to hear a scenario where it makes sense to host your own.. Other than maybe some play domain, I for example host a domain of mine on a couple of vps's - but its my personal domain to play with and test stuff with and do dnssec, etc.  Its not actually used by anyone in the public - and if went offline not an issue to anyone other than me if I wanted to test something when it was offline ;)

But it does ipv6 and dnssec.  And the vps they are on does support anycast that I have to not had time to play with yet.  But serving up real production domains to the public.. Yeah let someone else do it ;)

KOM

Are DMZ's still the go ?

I need to expose 2 micro services/web services and looking for a best practices

Simple port-forwards might be best depending on what you've got.  If it's one server with multiple services then it's easy.  If you have multiple servers all running different services off the same port, then you're going to have problems forwarding to the proper server.  What is your specific scenario here?  Also, this isn't really related to your original question and so it really should be spun off as its own thread.

YipYip

@johnpoz:

Sure you can put them in a segment that is firewalled from your normal segment.  You can call that a dmz if you want, but it just becomes a firewalled segment would be a better term.  You then port forward the ports you need to be sent to these servers from the public internet.

I have been dealing with dns for many years, and its really a hobby/passion of mine as well.  Just such a amazing thing that someone on the other side of the planet can create a record and you can look it up instantly after he makes the entry, etc.

From a cost/security point of view it just makes no sense to host your own to the public internet.  Internally sure!!  But to the public - no thank you, let the guys that have networks designed just for that, and all they do for their bread and butter is provide dns, etc.

I would love to hear a scenario where it makes sense to host your own.. Other than maybe some play domain, I for example host a domain of mine on a couple of vps's - but its my personal domain to play with and test stuff with and do dnssec, etc.  Its not actually used by anyone in the public - and if went offline not an issue to anyone other than me if I wanted to test something when it was offline ;)

But it does ipv6 and dnssec.  And the vps they are on does support anycast that I have to not had time to play with yet.  But serving up real production domains to the public.. Yeah let someone else do it ;)

This is a POC setup and I find the kinks in my platform

I find it a lot easier debugging problems locally than it sitting in the cloud as you add another layer of complexity as in is this a AZURE/AWS problem or my problem  and it will all be migrated to the cloud once I have ironed out the bugs

Thanks for that as you just saved me a LOT of hassle. I totally agree in getting the pro's to run the PROD side of things.

YipYip

@KOM:

Are DMZ's still the go ?

I need to expose 2 micro services/web services and looking for a best practices

Simple port-forwards might be best depending on what you've got.  If it's one server with multiple services then it's easy.  If you have multiple servers all running different services off the same port, then you're going to have problems forwarding to the proper server.  What is your specific scenario here?  Also, this isn't really related to your original question and so it really should be spun off as its own thread.

There will be 2 simple endpoints on different ports as the head of multiple systems that support the Web/Microservices.

As you say I will KISS and just run NAT PF for my POC and move it all off to the cloud once out of ALPHA/BETA

Thanks  ;)

johnpoz

If all your doing is a POC and you need some authoritative dns for that - then sure that would be one reason why you might host your own just for the POC.  But once it goes to production then no I wouldn't suggest running your own dns for public consumption.