Nslookup from the WAN to see all my DNS infraestructure

Hello,

I have been a follower of your company for a year or so now. I think it is a great product (CIS) though I am not an expert in security stuff. But I love your products and these forums.

Well, I have a question not related to Comodo, and I think this is the right place to ask it:

Not long ago I read that anyone from the WAN could, with NSLookup, see all your DNS infrastructure even the “A, Cname…” .

I then read about Split-DNS, but I don´t want to publish any DNS Server on the internet.

I thought my network was secure this way:

Two DNS with Active Directory integrated, and then, on the WAN I have the name of my domain and some hots: mydomain.com , www.mydomain.com , ftps.mydomain.com , mail.mydomain.com.
These hosts are placed in the company I bought my domain to, and all point to my Public IP.

I quite don´t understand why I have to have two DNS infrastructures in my domain so that no one from the outside (the WAN) can see my DNS internal hosts with nslookup.

Besides I have a firewall with all the updates, a corporated antivrus, and I am even thinking of Snort to stop attacks in my infrastructure. (Should I remove the word of that product “Snort”?, no publicity allowed?)

Thanks a lot in advance.

No problem using names of other vendors here, there is this board for :wink:

It depends on your setup, normally if you decide to host your own DNS servers you have a few options.

  1. Run ‘Internet’ DNS servers which contain only information in their zone files that need to be known to the ‘Internet’.
  2. Run a DNS server with an External ‘View’ and an Internal ‘View’.

The first is the most secure, you only put names in there that need to be known on the internet, what isn’t in there can’t leak or can’t be enumerated.
You prevent the ~ user/ip from being allowed to zone-transfer (e.g. download your complete DNS zone file info).
Even if they hack that box there is no info about your internal network in there.

The second is prone to security misconfiguration issues, and might leak data from the Internal view to an external Hacker.
An External View is a kind of ‘filter’ about what the Internet is allowed to ‘see’.

If a hacker get’s his hands on your internal DNS zones he has a complete map of how your network is build and already knows where to look.
Even worse, might be able to change the DNS responses to your clients and cause a Man in the Middle attack.

Hello and Thanks Ronny.

I don´t want to publish any DNS Server, so, my concern about a hacker from the WAN watching my “A” Records in the DNS zone, are exagerated?.

I have my 2 internal DNS Servers in my LAN, which are used to LAN client resolution name , and, in the place I bought my domain (example.com) I put three subdomains: www.example.com, ftps.example.com and mail.example.com, all pointing to my static Public IP of the router of the company.

Then, I think that my collleague was wrong when he told me to take care about the hackers seeing my “A” host , as long as I don´t have published any DNS in my DMZ, nor in my LAN. I therefore have blocked 53 TCP/UDP …Am I slightly right?

What I am trying to figure out is why a System Administrator wanted to put Public DNS in a DMZ when you can always perform that task in your domain provider (I always do it that way).

  1. Is my concern exagerated regarding a hacker watching my DNS hosts (A, CNAME) with my current DNS configuration?

  2. Why does someone want to publish DNS in a DMZ? What is the advantage? I´ll carry on reading about SPLIT-DNS for I am not capable of seeing the advantage of such scenario.

Thanks a lot Ronny!

I think I’m not sure about what scenario you are afraid of.

You have to distinguish 2 different types of DNS.
DNS resolver used for PC’s etc to resolve www.comodo.com etc
DNS Authoritative servers (the server that is allowed to give an answer on your A record for www.yourdomain.com).

If you decide to host DNS servers for your own domain e.g. give internet users answer to the question what is the IP for www.yourdomain.com
Then normally one would host those DNS servers on a DMZ.

DNS queries to a forwarder/resolver are mostly forwarded from within a company to the DNS servers of the provider.
These DNS queries are for resolving www.comodo.com etc. I’m not sure how a hacker from the WAN side should ‘watch’ them.
Other then that he hacked the provider and is listening in on traffic between your network and the providers DNS server of course.

Hello Ronny,

First of all: Thanks for your help.

The answer is just perfect.

My concern is that a colleague of mine told me: Look out for your DNS Infrastructure because a “bad guy” in the WAN can see, through NSLookup, your A Records, your MX Records, SRV, all your DNS Infraestructure from the WAN, to enable him to attack you afterwards.

I immediately thought: I think that is not correct because I don´t have my public records on my DNS, but on my Domain provider. Actually, I don´t know why anybody wants to place the public records in their own servers, because that will force you to open TCP/UDP 53, and I don´t see the need of that.

Was he correct in his thoughts?

P.D: Your answer is so enlightening that I am 99% for sure that the hacker couldn´t see my records from the WAN, only those published in my domain provider. You put perfect with your words, I just wanted to feel reassured.

One of my two main questions reamain, however, unsolved (I can´t make sense of this): Why would a company want to host their public records? . There must be reasons because I looked on the internet for “SPlit-DNS” and many articles appeared.

Thanks a lot again Ronny!

Mostly driven by IT handling all and everything or policy to have those critical services in their own control/internal.
I wouldn’t split my DNS I’d run separate servers for Internet zones, more secure, a bit more work though (duplicate management/extra servers/software to patch etc).

Thanks for the reply!

But Ronny, what is the use of all of this? I mean: Having my public DNS records on my own DNS? When I can have them in my domain provider? . That is my key question, I can hardly make sense of that, truly.

For me it is very handy (and secure):

1.My own DNS in my LAN (192.168…) with my A, Cname, MX, SRV … Records
2.The External A Records (www.mydomain.com , ftps.mydomain.com , mail.mydomain.com) in my DNS Provider, pointing to my Public IP.

That´s how I have it. My real point is: Is there any danger in such deployment? . At least, I don´t see it (the dangers).

Well there are companies (mostly enterprise) that keep all things ‘inhouse’.
Or don’t use an external provider, and house everything inhouse, DNS webservers etc…

Thanks Ronny, now it is all perfectly clear, I thought it was a common scenario.

I appreciate a lot all your help indeed!

Thanks!

Your welcome.