NAT and DNS

[Captain Blammo]

If I have a domain controller on a network using a 192.168.x.x addressing
scheme behind a single IP address with NAT, and forward port 53 to make the
DNS server available from the outside, is there any way that someone would
be able to get records out of it and figure out my internal IP addresses, as
long as they don't have any information other than the IP address of my NAT
router?

Regardless, are there any other issues that might be raised by making my DNS
server publicly accessible, or is it a fairly safe thing to do?

Thanks for any info.

CB

 

[Steven L Umbach]

Generally that is not recommended as you would be exposing port 53 UDP of
your domain controller to the world. If you domain controller is properly
hardened the risk may be minimal but someone could potentially try to launch
a denial of service attack against your domain controller to impact your
internal domain operation. Someone port scanning your IP would see that port
53 is open, could conceivably configure your dns server the be their
preferred dns server, and if they know or can guess your domain name then
use it to try to gain access for information about your internal network.
Tools such as nslookup can be used to attempt such. If you decide to do it,
be sure your dns server is configured NOT to allow zone transfers or only
allow zone transfers to specific IP addresses. --- Steve