Hi Cliff,
In this example (which is how I have my test network set up right now), my
only concern is with the fact that our website (
www.company.com) winds up
being the parent in the tree. Is this a security concern? I'm worried
about the fact that malevolent persons on the outside would already know the
name of our parent domain in this case and the next time a security hole is
discovered in Windows Server, they may exploit it.
You mention that there are many opinions on how to configure a namespace
and/or LAN... What do you recommend? I'm collecting opinions
(Sorry long post!)
Don't you mean that "company.com" becomes the root? A host is never
the root. The root is an AD Domain Name and a DNS Domain Name too. OK,
suppose you decide on using the same Domain name internally and
externally.
Internally, your Domain is called "mycompany.com". That's both the
Active Directory Domain Name and the internal DNS name. Unless you
have a very good reason you will only have one AD Domain, and it is
also the root Domain.
Externally, covering DMZ and all else, your DNS Domain Name is also
"mycompany.com". You host this DNS yourself or you get an ISP or
someone to host it for you. There is no external Active Directory
Domain, and it is totally separate from your internal DNS zone of the
same name.
The two DNS's do not talk to one another directly, so there are no
security implications. In fact the external DNS knows nothing of your
internal DNS, though your internal DNS knows of the external DNS.
To put it another way, while your internal DNS queries the outside
world, the outside world is unable to query your internal DNS. It
doesn't even know of its existence, so there are no security
implications.
If your web server,
www.mycompany.com is in the DMZ, it is not part of
your AD Domain at all. It is part of the external DNS Domain however.
This means that your people inside the network can't see it, unless
you manually add it to your internal DNS.
It doesn't matter which method you choose. So long as the internal DNS
is separate from the external DNS, there is no DNS-related security
problem.
With the same DNS Domain Name internally as externally, (the some
called "split brain" DNS) there is no way that someone who can read
your external DNS can even locate the internal DNS.
With an internal DNS domain that is a subdomain of your external DNS
then the only way that the external DNS would be able to locate your
internal DNS would be if the external DNS were purposely linked to the
internal DNS. eg to find mailserver.lan.mycompany.com an entry for
lan.mycompany.com would need to be put into the external DNS to point
to the internal DNS for lan.mycompany.com to resolve the mailserver's
address. It wouldn't happen.
With a fake domain name eg, mycompany.lan, an attacker would need to
know that you used that domain name and how to get to your internal
DNS from outside. No way!
In any case, it is easy to prevent people finding out internal
information from your DNS. Just prevent incoming DNS request traffic
at the firewall. You can also hide all your internal addresses by
using Network Address Translation at the firewall too.
Which of the three plans you choose will be determined more by your
preferences, local company politics, pre-existing setups, stuff like
that, than by any technical recommendations, I feel. I've used all
three of them at some time or another.
Cheers,
Cliff
{MVP Directory Services}