RE: Split DNS Questions...
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 21 Apr 2005 06:49:08 -0700
..so you apparently didn't learn the first time?
:-)
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Thursday, April 21, 2005 06:46
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
But But But... I don't have a dog!
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 10:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Can't tell you - I'd have to kill your dog.
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 6:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Hello,
Does anyone know if Microsoft has plans to update its DNS to include
Support
for split DNS? Bind 9 includes views and it would be really nice if MS
added
this capability to their DNS server.
Thanks
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 9:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Hi Dan,
You said the magic words, Split DNS.
Responses inline...
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 8:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Split DNS Questions...
http://www.ISAserver.org
I haven't really looked into using a Split DNS before because what we
had was
working "okay". However, I'm running into a few issues that make me
wonder
if a split DNS would be appropriate for our situation.
- We do use the same domain name for the internal network, as is
publicly
available. Sounds like a perfect situation for a split DNS...
TOM: You bet! I do this whenever I can. Never had a problem except for
VPN
clients at times, related to the RAS adapter not moving to the top once
connected. I'll do an article on this that includes the fix -- if you
run
into the issue, I'll send the fix via e-mail.
- Accessing our own website acts like it's coming from the outside. The
ISA
logs show it coming in and going out of the internal network, but
passing
right by the web publishing policy, and hitting my last policy for
IntraNet
All Protocols. I don't mind it passing through the ISA server, as it
doesn't
put much of a load on it and I can then see it in the reports. However,
I'd
like to be able to have it recognize the local connection, and provide
authentication.
TOM: Shouldn't be that way. You internal sites should all be configured
for
Direct Access, so that Firewall clients and Web proxy clients ignore
their
roles and allow direct communication with the internal hosts.
Looping back through the ISA firewall for local resources is one of the
venal
sins of ISA firewall networking.
- Since installing Rain Connect, we've been having troubles with some
outgoing e-mails. Apparently, one of our IP addresses doesn't have a
reverse
DNS entry for it, and many organizations won't accept it if they can't
do a
reverse lookup. So I redirected all TCP port 25 traffic through one of
our
ISPs. However, whenever that link goes down (and cable modems go down
at
least once an hour), it redirects the traffic through the other port,
and we
get some rejected messages. Trying to clear this up with our ISP
doesn't
seem to be working, so maybe running our own (split) DNS server would
clear
it up?
TOM: I assume that you're ISP owns your netblock and not you (might not
be
so, but almost always is). In that case, you need the ISP to add the
reverse
lookup zone record for you. On their DNS server, since they are
authoritative
for their netblock, even if they "let" you use some of their addresses.
Note
that's true only for reverse lookups, as you maintain the authorative
forward
lookup zones on your DNS agent on the RainConnect software.
- Along with the last one comment, we plan on adding a few more ISPs in
the
future, and removing others. I personally think it would be much easier
to
do these updates if we ran our own (public) DNS server, instead of the
hassle
of trying to get all ISPs to change entries all the time.
TOM: If RainConnect still works the way it used to, it's the
authoritative
forward lookup zone DNS server, so you're hosting the forward lookup
zone
records already and the RainConnect DNS agent takes care of things for
you. I
have to admit, I don't know how they handle MX records these days, but
the MX
records always map to A records, and RainConnect handles those
automatically
for ISP failover. I don't think you want to load balance the SMTP
traffic,
since you need the reverse lookups to work correctly. Just make sure you
get
the reverse lookup zone records in place on all ISPs that you use for
your
RainConnect setup.
So what do you think? Good scenario for a Split DNS?
TOM: GREAT setup for a split DNS. Your users will love it. Just let me
know
if you're going to use it for incoming VPN and I'll send you some fixes.
HTH,
Tom
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
