2 Replies Latest reply on Dec 2, 2016 10:34 PM by rschroeder

    External IP Blocks DNS Scan


      Sorry if this has already been covered or if is an outlandish request, but...


      Our CIO wants our several external blocks of a public network scanned and in IPAM.


      Is this possible in some way? My gut says no.


      I added our 167.xx network IPs to IPAM but of course its only looking at Internal DNS, can I point an external DNS server at this block?



        • Re: External IP Blocks DNS Scan

          I see this is not really possible, we can't add those external name servers to SolarWinds as Nodes.



            • Re: External IP Blocks DNS Scan

              Based on your criteria (find a way to scan external IP addresses you own/lease, resolve them to their DNS entries, and get that information available for the boss via IPAM), I've thought of a few things you can try.  But these literally only discover the addresses and get them into IPAM for your boss's pleasure.  These steps do NOT make them available via IPAM to outside entities:

              • If you have control of your firewall rules, you may be able to configure them to allow your internal tool to scan your external addresses and resolve their DNS entries from your inside network, if your hardware and security team and Change Management crew allow hairpinning.
              • If you have the Engineer's Toolset, you might find a handy tool in it that can be run from a laptop on the external network, which would capture your external DNS entries.  Then you could import that info into your SW products.
              • Your external DNS provider should be able to provide you with a complete list of entries, too, which can be imported into your internal solutions.
              • I bet your internal DNS team can provide you with the A Records and C-Names for all your external addresses, for your importing pleasures.
              • Last:  have you looked for external DNS resolution tools that are free on the Internet?  I'm not saying you'll find what you need, but it's worth a Google isn't it?  If you can discover your addresses that way, you should be able to import them into IPAM.

              Remember:  these solutions get your external A Records, and possibly C Names, into your IPAM manually.  They don't set up your environment to allow outsiders to access those names in your IPAM.


              Now, if you want outsiders to be able to access them in your IPAM,  that's an issue for your security architect and your security team to discuss.  If you're using public addresses INSIDE your organization, AND you're also using the same address scheme OUTSIDE your firewall, you've probably got transparent firewalling in place, and that's not the best use of public addresses.  Nor is it automatically a safe choice to make. 


              If your IPAM solution is on your internal corporate network, you shouldn't let outsiders into your internal network to discover addresses from your IPAM.  A safer design would either put your external DNS entries outside (on your firewall if it manages DNS like a Sidewinder can, or at a contracted DNS provider like Network Solutions), or at least in a locked-down DMZ that's dedicated solely for external DNS resolution, with rules allowing outside entities to access it.  Those entities that you allow to do zone transfers should be very few--probably only two. 


              DNS is a popular target for hackers, and most organizations' networks live and die by DNS availability.  Don't sacrifice up time and security by implementing an insecure deployment of DNS for outsiders to access.  If you don't have the expertise, pay for an experienced contractor to set it up properly for you, and to teach your team how to manage it.