Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple DMZ's and DNS Servers

We recently went froma single port PIX to a multiple port and DMZ setup. I am trying to figure out the best way from a topology setup to place DNS servers with in this design. Would one place a DNS server in each zone and perform zone transfers or would a single DNS server located in one DMZ work. A concern I have with the single DNS server would be extra latency and processing on the PIX.

Thanks,

Brian

6 REPLIES
Silver

Re: Multiple DMZ's and DNS Servers

Hi,

Best is to have two separate DNS servers, one Public accessible (in DMZ) and other for your private network (in Inside). Zone Transfer should not be done between the two if one is for public address and one for private addresses.

You can also have only one DNS server on the DMZ. Or one in the DMZ and one inside, doing Zone transfer.

But you need to tell who these DNS Servers will be serving?

Thanks

Nadeem

New Member

Re: Multiple DMZ's and DNS Servers

Nadeem,

We are actually running a total of four DMZ's, design is modeled after the SAFE design. One DMZ is configured for Web servers ect (public access), another for application/Database servers, the third is an old legacy DMZ that provide's a seperate campus network that we attach workstations on for interent access and the fourth is the Campus connection.

So from what I gathered from your response and the other individuals it would be best to treat each DMZ as a seperate network with it's own associated DNS server. This would provide the best security and scalability.

Thanks,

Brian

New Member

Re: Multiple DMZ's and DNS Servers

We are actually running a total of four DMZ's, design is modeled after the SAFE design. One DMZ is configured for Web servers ect (public access), another for application/Database servers, the third is an old legacy DMZ that provide's a seperate campus network that we attach workstations on for interent access and the fourth is the Campus connection.

So from what I gathered from your response and the other individuals it would be best to treat each DMZ as a seperate network with it's own associated DNS server. This would provide the best security and scalability.

What is the best way to provide DNS information across zones??

Thanks,

Brian

Silver

Re: Multiple DMZ's and DNS Servers

Hi,

It does not matter how many DMZs you have, bascially your DNS servers should be separated into two parts

1- serving for private IPs for your internal network

2- Serving for public IPs for internal+external network.

Thanks

New Member

Re: Multiple DMZ's and DNS Servers

Hello,

Thank you, that is what I though now I have to convince the executive group. That is a little more complicated then the technology itself, sorta the layer 8 in the OSI model.

New Member

Re: Multiple DMZ's and DNS Servers

Nadeem is exactly correct. Also, there will not be any latency/impact on your PIX.

282
Views
0
Helpful
6
Replies
CreatePlease to create content