Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Architecture Setup Best Practices

    DHCP and DNS
    3
    9
    7.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      YipYip
      last edited by

      Firstly I am a software dev so pardon my ignorance

      I am wanting to setup my internal lan xxx.home or xxx.local and also have a authoritative domain via dynamic dns www.mycompany.com going to a DMZ or a NAT forwarded solution.

      I will be having 2 external Webservices servicing about 500 clients as a POC

      Are DMZ's (2 firewalls filtering hardend servers exposed)  still the standard for security or should I just NAT forward with 1 firewall ?

      I have pfsense in place and so far have been using unbound for DNS & DHCP via 2 bridged Cable modems.

      What are the best practices for setting up the internal lan. I.E using a windows DNS like MaraDNS on a VM ?

      Is setting up Bind for the authoritative domain on the pfsense box a best practices from a security and administration  point of view ?

      Or should this service be sitting on a seperate box, and is BIND still the defacto standard ?

      Also realistically BIND on unbuntu distro as BIND on Windows doe the external domain would be a security risk ?

      Thanks in Advance

      YipYip

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So you want to run your own authoritative ns to the public internet?  Of your cable modem connections?  To 1 box running bind?  That is really a BAD idea..  If you want use bind to be your local ns for your local domain sure.

        But anything to do with the public why not just let an outside service do that for you.  Be it your registrars dns service, or free like hurricane electric or a paid service like dnsmadeeasy.  Hosting your own dns to the public is just bad bad idea, especially if your not familiar with dns.

        As soon as you become familiar with how dns works, you will understand that hosting your own is rare that it makes sense to host your own.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Funny you should mention that.  My company owns a couple of hundred domains (don't ask) and I've been serving their IPs for years locally.  Only just this year did I convince management to move them to our registrar's DNS.  138 are already moved, 100 or so to go.

          1 Reply Last reply Reply Quote 0
          • Y
            YipYip
            last edited by

            @johnpoz:

            So you want to run your own authoritative ns to the public internet?  Of your cable modem connections?  To 1 box running bind?  That is really a BAD idea..  If you want use bind to be your local ns for your local domain sure.

            But anything to do with the public why not just let an outside service do that for you.  Be it your registrars dns service, or free like hurricane electric or a paid service like dnsmadeeasy.  Hosting your own dns to the public is just bad bad idea, especially if your not familiar with dns.

            As soon as you become familiar with how dns works, you will understand that hosting your own is rare that it makes sense to host your own.

            Thanks for that I checked out dnsmadeeasy and I suddenly feel a lot better :D

            So thats the external domain taken care of

            Are DMZ's still the go ?

            I need to expose 2 micro services/web services and looking for a best practices

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Sure you can put them in a segment that is firewalled from your normal segment.  You can call that a dmz if you want, but it just becomes a firewalled segment would be a better term.  You then port forward the ports you need to be sent to these servers from the public internet.

              I have been dealing with dns for many years, and its really a hobby/passion of mine as well.  Just such a amazing thing that someone on the other side of the planet can create a record and you can look it up instantly after he makes the entry, etc.

              From a cost/security point of view it just makes no sense to host your own to the public internet.  Internally sure!!  But to the public - no thank you, let the guys that have networks designed just for that, and all they do for their bread and butter is provide dns, etc.

              I would love to hear a scenario where it makes sense to host your own.. Other than maybe some play domain, I for example host a domain of mine on a couple of vps's - but its my personal domain to play with and test stuff with and do dnssec, etc.  Its not actually used by anyone in the public - and if went offline not an issue to anyone other than me if I wanted to test something when it was offline ;)

              But it does ipv6 and dnssec.  And the vps they are on does support anycast that I have to not had time to play with yet.  But serving up real production domains to the public.. Yeah let someone else do it ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Are DMZ's still the go ?

                I need to expose 2 micro services/web services and looking for a best practices

                Simple port-forwards might be best depending on what you've got.  If it's one server with multiple services then it's easy.  If you have multiple servers all running different services off the same port, then you're going to have problems forwarding to the proper server.  What is your specific scenario here?  Also, this isn't really related to your original question and so it really should be spun off as its own thread.

                1 Reply Last reply Reply Quote 0
                • Y
                  YipYip
                  last edited by

                  @johnpoz:

                  Sure you can put them in a segment that is firewalled from your normal segment.  You can call that a dmz if you want, but it just becomes a firewalled segment would be a better term.  You then port forward the ports you need to be sent to these servers from the public internet.

                  I have been dealing with dns for many years, and its really a hobby/passion of mine as well.  Just such a amazing thing that someone on the other side of the planet can create a record and you can look it up instantly after he makes the entry, etc.

                  From a cost/security point of view it just makes no sense to host your own to the public internet.  Internally sure!!  But to the public - no thank you, let the guys that have networks designed just for that, and all they do for their bread and butter is provide dns, etc.

                  I would love to hear a scenario where it makes sense to host your own.. Other than maybe some play domain, I for example host a domain of mine on a couple of vps's - but its my personal domain to play with and test stuff with and do dnssec, etc.  Its not actually used by anyone in the public - and if went offline not an issue to anyone other than me if I wanted to test something when it was offline ;)

                  But it does ipv6 and dnssec.  And the vps they are on does support anycast that I have to not had time to play with yet.  But serving up real production domains to the public.. Yeah let someone else do it ;)

                  This is a POC setup and I find the kinks in my platform

                  I find it a lot easier debugging problems locally than it sitting in the cloud as you add another layer of complexity as in is this a AZURE/AWS problem or my problem  and it will all be migrated to the cloud once I have ironed out the bugs

                  Thanks for that as you just saved me a LOT of hassle. I totally agree in getting the pro's to run the PROD side of things.

                  1 Reply Last reply Reply Quote 0
                  • Y
                    YipYip
                    last edited by

                    @KOM:

                    Are DMZ's still the go ?

                    I need to expose 2 micro services/web services and looking for a best practices

                    Simple port-forwards might be best depending on what you've got.  If it's one server with multiple services then it's easy.  If you have multiple servers all running different services off the same port, then you're going to have problems forwarding to the proper server.  What is your specific scenario here?  Also, this isn't really related to your original question and so it really should be spun off as its own thread.

                    There will be 2 simple endpoints on different ports as the head of multiple systems that support the Web/Microservices.

                    As you say I will KISS and just run NAT PF for my POC and move it all off to the cloud once out of ALPHA/BETA

                    Thanks  ;)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      If all your doing is a POC and you need some authoritative dns for that - then sure that would be one reason why you might host your own just for the POC.  But once it goes to production then no I wouldn't suggest running your own dns for public consumption.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.