DMZ server - internal Lan DNS ? 1

[Helenp1983]

Hi,

should i allow the webserver access to the internal dns server?

I have a webserver in a dmz. http and https are allowed into the server.

And port 700 is open between the webserver and the edi server.

The web server need to know the name of the edi server.

Is it a secuirty risk to open the DNS ports between the webserver and my DNS server on my LAN (my domain controller)

Could someone who hacks into my webserver then lookup my other server names?

The host file entry doesn't seem to be working.

 

[LawnBoy]

The hosts file is the best way to do this, when you say it doesn't work how do you know?

From the webserver, ping the edi server by name. Even though ping doesn't get any results, it should still show you the correct IP addy for the edi server. This would prove the hosts file is working.

Obviously, the webserver needs the name of the edi server in order to communicate with it. you will need to establish a "pinhole" from the DMZ to the edi server, based on the protocol and port required.

 

[Helenp1983]

thanks it does work when pinging the name. i was doing an nslookup.

So you think it is a risk to open the dns ports?

but isnt a risk to list names in the host file?

 

[LawnBoy]

It is a risk to open up an internet facing server to your internal LAN in any way, shape, or form. You must balance the risk against any percieved benefit.