A web server inside the office network which is accessed by staff internally and

Question

A web server inside the office network which is accessed by staff internally and the internal DNS resolves web.company.com to the server's LAN IP.

Publicly, company.com nameservers belong to their party hosting company where the main company website is hosted and it does not have web.company.com record.

Now if the web.company.com should also be accessible from outside, it is okay to expose our LAN IP in the A record so that only staff with VPN can access; or should web.company.com resolve to the office network external address and use firewall to route to the LAN IP?

Explanation / Answer

Including private IPs in public DNS entries is not ideal because it provides a would be attacker with:

- An indication of what your internal subnets are;
- Actual IP addresses for specific internal resource(s).

Neither are likely to result in a direct compromise, but can assist with an attack or can facilitate onward compromise.

Generally speaking leaking information about your internal network and resources hosted on it should be avoided.

From your question it seems the internal resources are only intended for VPN users so it might be more appropriate to have an internal DNS which VPN users can access this avoids any issues with including 'sensitive' information in public DNS records.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.