RE: DNS server mapping

• From: "Joseph" <cismic@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Mar 2002 10:31:01 -0800

Hi Tom,
I will try that setup to see if it removes the hits from other sources.
I'll let you know my results.

Joseph

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, March 19, 2002 10:07 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping

http://www.ISAserver.org


Hi Joseph,

One thing you can do it make your box a root server, or just remove the
root hints file so that it can perform recursion. That way, the box
answers only for domains for which it is authoritative, and drops the
other requests. Now, this is easy for me to day, but I haven't tested it
out live yet, so YMMV :-)

Tom
www.isaserver.org/shinder


-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx] 
Sent: Tuesday, March 19, 2002 11:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping

http://www.ISAserver.org


Hi Tom,

I agree!  One thing that I did was pick up two inexpensive PII 400'S for
250.00 each that work well for DNS servers.  I've not had any issues
with them at all! I suppose if I were receiving a million hits plus a
day I might change the configuration but with load testing they will
support about 5K hits day with out issue.

Now, I have my external DNS servers in the DMZ and the internal address
behind the second firewall in my internal net.  I would highly suggest
that others do the same. The maintenance is not hard at all either.

As just a matter of maintenance I reboot the DNS servers every two
weeks.

I've been testing on completely separate system from my network using my
DMZ DNS servers as the DNS machines. I did notice that they get hit.
Not hard though.  But, it would be nice to be able to limit who can
connect to my DNS servers. So, I've not found a rule that would work.
For example if we all started using any DNS server or one specific DNS
server a mini DOS attack could happen.  Has anyone else dealt with how
to block others from using your DNS servers as theirs?

Thank you,

Joseph

-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 18, 2002 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping

http://www.ISAserver.org


Hi Joseph,

One thing I don't think I, or Microsoft has made a point of
communicating is how important it is not to use the same machine to
resolve internal and external resources for public users. If you allow
public access to your private DNS servers, cache poisoning can be a real
problem. Someday I'll get around to writing an article on this issue :-)

Thanks!

Tom
www.isaserver.org/shinder


-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx] 
Sent: Monday, March 18, 2002 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping

http://www.ISAserver.org


The incoming listener on your ISA server should be of the same IP
address that your registered name is.  At least I've tried to be
consistent in that mater.  I would use 202.138.162.245 as your incoming
listener.

The EXPOSED DNS server which contains your external DNS address can have
a private IP address.  When you setup your domain on that machine ie
airrelay.biz you would also add an host entry for NS1.  I imagine that
you're going to run primary on your DNS.

Then from the ISA        server create a destination set for the DNS on
private IP.  And then publish that server using the client destination
set.

I would read the article out on isaserver.org that deals with setup of
DNS
Before installing ISA.

Joseph

-----Original Message-----
From: Rodel P Hipolito [mailto:rhipolito@xxxxxxxxxxxx] 
Sent: Monday, March 18, 2002 2:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] DNS server mapping

http://www.ISAserver.org


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

        I have this situation:


        ============                            ==============
        |DNS Server|---------------------->     | ISA server
|---------------------> Internet
        ============    192.168.1.224   ==============  202.138.162.245
        192.168.1.251
202.138.162.246 

        I registered ns1.airrelay.biz with an ip address of
202.138.162.246
but my DNS server's real ip address is 192.168.1.251, I already
published this server on the ISA publishing server features, but
unfortunately, still it cant be resolve from the internet, Any idea
on what should I check? 

Thanks for your help guys..and more power to all

Regards.


Rodel P Hipolito
ICT Department
Air Relay Corporation
A: 18th Floor IBM Plaza
   Eastwood City Cyberpark
   E. Rodriguez Jr. Avenue
   Bagumbayan, Quezon City
T: +632-4394860
F: +632-4387904
M: 0917-8166599
W: www.airrelay.biz
E: rhipolito@xxxxxxxxxxxx 

======================================================================
====
The information transmitted is intended only for the person or entity
to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of,
or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received
this in error, please contact the sender and delete the material from
any
computer.
======================================================================
====

 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPJW8GB7+p9+U2R9aEQLInQCfXBBHO6E4hGAYWsjDoaeUOTN6ic8AoMef
3N6Z3srG+Wb01BRM6PFZL0UN
=snaF
-----END PGP SIGNATURE-----


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS server mapping
• » DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping
• » RE: DNS server mapping

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---