http://www.ISAserver.org
-------------------------------------------------------
what do you mean by a read only dc? i thought we had to wait for longhorn to
do that?
Greg
----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isalist@xxxxxxxxxxxxx> Sent: Wednesday, October 25, 2006 1:26 AM Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org ------------------------------------------------------- You might consider deploying a "read-only" DC in the branch. This reduces the WAN traffic for logon and AD replication. Logon traffic across the WAN is a nasty thing to handle and troubleshoot. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, October 24, 2006 07:33 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders http://www.ISAserver.org ------------------------------------------------------- The plan it to move the DC's out of the brand offices altogether. Conditional forwarding. That might be what I'm looking for. Thanks, Amy -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, October 24, 2006 10:23 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders http://www.ISAserver.org ------------------------------------------------------- Hi Amy, If the internal users need to access main office resources using DNS, then I think it would be a good idea to move the Internet host name resolution away from the branch office DCs. You can do this by putting a caching only DNS server on the ISA Firewall themselves (or on another machine) and then creating a stub zone or configure conditional forwarding on those DNS servers so that they send requests for the Internal domain(s) to the DCs. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, October 24, 2006 9:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
At the branch offices their DNS use is more Internet than contacting internal hosts. There are a lot of DC's in the network currently so there's a lot of chatter going on. This would be a temporary move until I can get rid of some of the DC's. They really aren't necessary.
Amy
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, October 24, 2006 9:52 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
I don't have any cache-only DNS servers in my infrastructure, but my ISP does (in addition to the "standard" redundant servers) so I use those for my DMZ DNS server's lookups...
How will making the branch servers cache only cut down on DNS traffic? What's the difference between the cache only server fetching the record compared to the AD update? Or are there that many hosts that no one is ever trying to reach that it will make a difference?
t
On 10/23/06 6:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all:
> http://www.ISAserver.org > ------------------------------------------------------- > > Thor, > > Do you put any cache only servers in the mix? I've got a network where > there are DC's running DNS at branch offices and I'm thinking of making > those only cache servers to reduce some network traffic. > > Amy > > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Wednesday, October 18, 2006 11:50 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: OT: DNS and Forwarders > > http://www.ISAserver.org > ------------------------------------------------------- > > I've found that many people seem to dance over the security > ramifications of DNS/forwarders when designing an infrastructure. I > had some off-list > conversations about this, and thought that it may be valuable to fully > flesh-out what I think the issues are and how to avoid them. Now's also > probably a good time to share my "trick" regarding publicly available > DNS > and minimizing service exposure. So, for the benefit of those who are > interested: > > When AD DNS is configured as a forwarder, all domain members using that > DNS > server will be able to resolve hostnames directly from their IP stack. > There is no operational reason to have this-- when one considers that > most > spyware/malware/trojans/backdoors/shells/etc typically depend on > hostname lookups for direct access to a resource, the capability of > a client box > to > perform direct host lookups outside your network should (to me) be > considered unwanted and un-needed. Personally, I qualify it as > "dangerous." > > That's why I always configure my AD DNS with a root (.) zone- that way, > only > local zones may be queried by the client's stack. I typically only use > web > proxy clients for HTTP(S)/FTP where all DNS is proxied by the ISA box. > If > one needs direct DNS for another application (say DOS FTP) then use the > FWC > and all DNS will be resolved over the control channel, still being > proxied by the ISA server. > > The ISA server itself will have whatever "public" DNS server configured > in > its stack so that it can do the resolution for the clients. > > Not only is direct client DNS "dangerous," but having an AD box set up > as a > forwarder is "dangerous" as well as the box must be configured to access > a > remote resource over TCP/UDP 53. This also means that you've opened > that box up for incoming traffic on TCP/UDP 53 as well. Having > static paths > into > your internal network from source port routing is crazy. I can push > anything I want over 53, not just DNS (and have ;). Remember, the DNS > filter is only for published DNS servers, not clients requesting DNS > lookups. > > But there is the issue of one wanting complete control over host names > and > the need to publish your own DNS. This is what the DMZ is for. The DMZ > box > is set as a forwarding server, and the internal ISA box is set to use > that > box for all DNS requests. In this way, only the ISA box itself need to > request DNS outside the internal network, and it is already protected. > In > this manner, there is no DNS leaving the internal network at all, and no > static ports into the internal network-- only the ISA box looking up > DNS, and only to that DMZ resource. The DNS server in the DMZ is protected > by > the border ISA box, which (where necessary) is publishing DNS to the DMZ > for > remote hosts to look up your domain information. And here the DNS > filter is used. > > But you can get even better than that-- you can actually be fully in > control of your own zone data without having to actually publish > your DNS to the > world if you have a decent ISP. > > Here's what I do for that-- I have DMZ DNS servers set up as primary DNS > zones, and have told my ISP to set up their servers as secondary zones > for > my domains. The DMZ box can only zone transfer to the IP's of my ISP's > DNS > servers. Additionally the DMZ box is set to forward to my ISP's cache > servers. So, at this point, all internal AD DNS is stopped at the > controller, and only the ISA box can resolve DNS and only to the DMZ DNS > server. My internal Exchange clusters' stack resolves to the AD > controller, and they smart host deliver mail to my DMZ GFI gateway, > so still no DNS > leaving. The GFI box in the DMZ uses the DMZ DNS. > > The trick is that though I'm primary DNS, and though any changes I make > to > my DNS hosts are immediately replicated to my ISP as secondary DNS, I've > registered my DNS with the domain registry as my *ISP* being primary. > So > the world resolves my host names via my *ISP's* DNS servers, not *mine*. > I > don't even have to publish DNS at all. > > The end result is that no DNS requests leave my internal network at all, > except for a single DNS box in the DMZ that can only resolve to the ISP > DNS > caches. There is no publishing at all, no internal paths, no vulns, > nothing at all since the world resolves to the ISP boxes yet I have > full control > over all host name entries. > > It's a pretty tight config. > > t > > > > On 10/18/06 11:01 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh > to > all: > >> http://www.ISAserver.org >> ------------------------------------------------------- >> >> The T-Man is definitely right about this. >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- Microsoft Firewalls (ISA) >> >> >> >>> -----Original Message----- >>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of >>> God) >>> Sent: Wednesday, October 18, 2006 12:52 PM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: OT: DNS and Forwarders >>> >>> http://www.ISAserver.org >>> ------------------------------------------------------- >>> >>> Why do your internal clients need to resolve DNS directly? I >>> never ever use forwarders on my AD boxes. I always create root >>> zones on my AD DNS servers and only use ISA to resolve DNS for web >>> proxy/fw clients. >>> >>> That's where what I consider "true" security and separation comes >>> from. >>> >>> t >>> >>> >>> On 10/18/06 9:13 AM, "ISA" <ISA@xxxxxxxxxxxxxxxx> spoketh to all: >>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> >>>> This actually has happened with and without forwarders - >>>> >>>> Steve, I interpret your suggestion as using only the Root Hints? >>>> >>>> >>>> >>>> Joseph Danielsen, MCSA-Messaging, MCP >>>> >>>> Network Blade Inc. >>>> >>>> 49 Marcy Street >>>> >>>> Somerset, NJ 08873 >>>> >>>> 732-213-0600 >>>> >>>> www.networkblade.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Steve Moffat >>>> Posted At: Wednesday, October 18, 2006 12:08 PM Posted To: ISA >>>> Conversation: [isalist] Re: OT: DNS and Forwarders >>>> Subject: [isalist] Re: OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> FWIW.....I have 2 caching only DNS Servers that I setup to use as >>>> forwarders for my AD DNS Servers, when I use them, I get >>> the very same >>>> issue. If I however, remove them from the forwarders >>> section, I have no >>>> DNS Issues at all whatsoever, anytime. >>>> >>>> S >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of ISA >>>> Sent: Wednesday, October 18, 2006 1:03 PM >>>> To: ISA Mailing List >>>> Subject: [isalist] Re: OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Thanks Mike: >>>> >>>> I will try clearing the cache - but this happens now about everyday >>>> (morning usually). I really have to find the source of the problem. >>>> >>>> >>>> >>>> Joseph Danielsen, MCSA-Messaging, MCP >>>> >>>> Network Blade Inc. >>>> >>>> 49 Marcy Street >>>> >>>> Somerset, NJ 08873 >>>> >>>> 732-213-0600 >>>> >>>> www.networkblade.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Michael Ross >>>> Posted At: Wednesday, October 18, 2006 12:01 PM Posted To: ISA >>>> Conversation: [isalist] OT: DNS and Forwarders >>>> Subject: [isalist] Re: OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Windows 2003 DNS servers? >>>> Believe it or not, ive seen that . It's a cache pollution type of >>>> behavior, with no logging or other signs to prove that. >>>> Try to clear the DNS cache next time and see if it helps. >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of ISA >>>> Sent: Wednesday, October 18, 2006 10:59 AM >>>> To: isalist@xxxxxxxxxxxxx >>>> Subject: [isalist] OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Steve: Funny you should say that because I've done that a few times. >>>> >>>> DNS stops - I removed the forwards - Restart DNS - DNS works. >>>> DNS stops - I change the forwards - Restart DNS - DNS works. >>>> >>>> I want to blame my server but I'm just not sure where the >>> failure is. >>>> >>>> >>>> >>>> Joseph Danielsen, MCSA-Messaging, MCP >>>> >>>> Network Blade Inc. >>>> >>>> 49 Marcy Street >>>> >>>> Somerset, NJ 08873 >>>> >>>> 732-213-0600 >>>> >>>> www.networkblade.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Steve Moffat >>>> Posted At: Wednesday, October 18, 2006 11:55 AM Posted To: ISA >>>> Conversation: [isalist] OT: DNS and Forwarders >>>> Subject: [isalist] Re: OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Remove the forwarders.....then see how fast your Internet speed >>>> gets...:) >>>> >>>> S >>>> >>>> -----Original Message----- >>>> From: isalist-bounce@xxxxxxxxxxxxx >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of ISA >>>> Sent: Wednesday, October 18, 2006 12:49 PM >>>> To: ISA Mailing List >>>> Subject: [isalist] OT: DNS and Forwarders >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> Hello All - >>>> >>>> This might be off-topic, but has anyone every had their >>> Windows DNS/DC >>>> server intermittently stop forwarding DNS requests? >>>> >>>> I checked with the ISP and they don't recognize and >>> problems on their >>>> end. >>>> >>>> JD >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> ------------------------------------------------------ >>>> List Archives: //www.freelists.org/archives/isalist/ >>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>>> ISA Server Articles and Tutorials: >>>> http://www.isaserver.org/articles_tutorials/ >>>> ISA Server Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ >>>> Visit TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>>> Report abuse to listadmin@xxxxxxxxxxxxx >>>> >>>> >>>> >>> >>> >>> ------------------------------------------------------ >>> List Archives: //www.freelists.org/archives/isalist/ >>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >>> ISA Server Articles and Tutorials: >>> http://www.isaserver.org/articles_tutorials/ >>> ISA Server Blogs: http://blogs.isaserver.org/ >>> ------------------------------------------------------ >>> Visit TechGenix.com for more information about our other sites: >>> http://www.techgenix.com >>> ------------------------------------------------------ >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >>> Report abuse to listadmin@xxxxxxxxxxxxx >>> >>> >>> >> ------------------------------------------------------ >> List Archives: //www.freelists.org/archives/isalist/ >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server Articles and Tutorials: >> http://www.isaserver.org/articles_tutorials/ >> ISA Server Blogs: http://blogs.isaserver.org/ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > >
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx