We're building a new set of web servers to be located in a DMZ, but we want them to be able to use our internal mail server. The mail server has a CNAME of smtp.uk.ourdomain.com
- our existing servers have an entry for this in their hosts file. However the actual mail server behind the smtp... CNAME may change periodically for maintenance, patching etc and currently if we want the web servers to keep up with this we have manually update the hosts file on each server.
Instead of a hosts file entry we want our new servers to be able to use DNS so they only ever send traffic to the smtp CNAME and let DNS do the name resolution, however we think there's a risk that if our web server gets pwned we're then exposing our internal network. What's the best way to set these servers up so they're secure but can resolve the names of the services we need from the internal network?
Traffic from internet to inside is less secure than traffic from DMZ to inside. You already have the world connecting to your internal SMTP server, so why not allow the DMZ the same?
Just set up firewall rules correctly, and you're good to go.
Your HTTP server must be able to route IP traffic to your internal servers, otherwise it wouldn't be able to use it for SMTP Relay service.
If there's no firewall between your HTTP server and your mail server, then anyone who has compromised your HTTP server has the ability to send all kinds of network traffic to your mail server anyway. If there is a firewall between your HTTP server and your internal network, then you simply need to configure that firewall so that it only has the right shapes of holes in it for DNS/TCP, for DNS/UDP, and for SMTP Relay.
Unless you configure your internal DNS server to have three-way "split horizon" DNS service, instead of two-way (external versus internal), then information about all of your internal network's domain names and IP addresses will be available to your WWW server, and hence to anyone who compromises it. So configure such three-way "split horizon" DNS service.
Of course, this all means that far from being demilitarized, your WWW server must be heavily militarized, to resist compromises. ☺