External NS best practice? 1

[GotNoClue]

My boss is requesting that we host our own external name servers. Fine, all setup and secured, unnecessary services disabled, yadda yadda.

But now, he is asking that I have IIS running on the servers to display a simple park page for names we own but do not use. I suggested we use another server for this. He doesn't like that idea and doesn't think this will pose any risk.

I have always been under the belief that an external NS should be stripped of everything except DNS for security and performance reasons.

Can others share with me there thoughts on this? THANKS!!

 

[lhuegele]

If you MUST do this, I suggest you put it in the DMZ of your firewall for added security.

Good luck,

 

[lgarner]

The NS should be in a DMZ, anyway. I also wouldn't spend the money on Windows for a standard task.

All servers should be stripped of unneeded services. In this case, both DNS and IIS are needed, so there you are. I'm not aware of any risks that a properly-secured web server poses to a properly-secured DNS server.

 

[elgrandeperro]

That is one more server/software that you have to ensure is up to date and secure, for one splash/park page? If that is one static page, just stick it on (if you have one) your true webserver as a Virtual Host Vip, so that every call to that IP goes to the Virtual Host and displays the static park page, then map all your parked names to that IP and be done with it. That way, you have one less webserver to manage. That is what I would do.

egp