-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you guys for that great help!!! More power to all!! - - -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Wednesday, March 20, 2002 2:31 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server mapping http://www.ISAserver.org Hi Tom, I will try that setup to see if it removes the hits from other sources. I'll let you know my results. Joseph - - -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, March 19, 2002 10:07 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server mapping http://www.ISAserver.org Hi Joseph, One thing you can do it make your box a root server, or just remove the root hints file so that it can perform recursion. That way, the box answers only for domains for which it is authoritative, and drops the other requests. Now, this is easy for me to day, but I haven't tested it out live yet, so YMMV :-) Tom www.isaserver.org/shinder - - -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Tuesday, March 19, 2002 11:31 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server mapping http://www.ISAserver.org Hi Tom, I agree! One thing that I did was pick up two inexpensive PII 400'S for 250.00 each that work well for DNS servers. I've not had any issues with them at all! I suppose if I were receiving a million hits plus a day I might change the configuration but with load testing they will support about 5K hits day with out issue. Now, I have my external DNS servers in the DMZ and the internal address behind the second firewall in my internal net. I would highly suggest that others do the same. The maintenance is not hard at all either. As just a matter of maintenance I reboot the DNS servers every two weeks. I've been testing on completely separate system from my network using my DMZ DNS servers as the DNS machines. I did notice that they get hit. Not hard though. But, it would be nice to be able to limit who can connect to my DNS servers. So, I've not found a rule that would work. For example if we all started using any DNS server or one specific DNS server a mini DOS attack could happen. Has anyone else dealt with how to block others from using your DNS servers as theirs? Thank you, Joseph - - -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, March 18, 2002 10:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server mapping http://www.ISAserver.org Hi Joseph, One thing I don't think I, or Microsoft has made a point of communicating is how important it is not to use the same machine to resolve internal and external resources for public users. If you allow public access to your private DNS servers, cache poisoning can be a real problem. Someday I'll get around to writing an article on this issue :-) Thanks! Tom www.isaserver.org/shinder - - -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Monday, March 18, 2002 10:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server mapping http://www.ISAserver.org The incoming listener on your ISA server should be of the same IP address that your registered name is. At least I've tried to be consistent in that mater. I would use 202.138.162.245 as your incoming listener. The EXPOSED DNS server which contains your external DNS address can have a private IP address. When you setup your domain on that machine ie airrelay.biz you would also add an host entry for NS1. I imagine that you're going to run primary on your DNS. Then from the ISA server create a destination set for the DNS on private IP. And then publish that server using the client destination set. I would read the article out on isaserver.org that deals with setup of DNS Before installing ISA. Joseph - - -----Original Message----- From: Rodel P Hipolito [mailto:rhipolito@xxxxxxxxxxxx] Sent: Monday, March 18, 2002 2:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] DNS server mapping http://www.ISAserver.org - - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, I have this situation: ============ ============== |DNS Server|----------------------> | ISA server |---------------------> Internet ============ 192.168.1.224 ============== 202.138.162.245 192.168.1.251 202.138.162.246 I registered ns1.airrelay.biz with an ip address of 202.138.162.246 but my DNS server's real ip address is 192.168.1.251, I already published this server on the ISA publishing server features, but unfortunately, still it cant be resolve from the internet, Any idea on what should I check? Thanks for your help guys..and more power to all Regards. Rodel P Hipolito ICT Department Air Relay Corporation A: 18th Floor IBM Plaza Eastwood City Cyberpark E. Rodriguez Jr. Avenue Bagumbayan, Quezon City T: +632-4394860 F: +632-4387904 M: 0917-8166599 W: www.airrelay.biz E: rhipolito@xxxxxxxxxxxx ====================================================================== ==== The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ====================================================================== ==== - - -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPJW8GB7+p9+U2R9aEQLInQCfXBBHO6E4hGAYWsjDoaeUOTN6ic8AoMef 3N6Z3srG+Wb01BRM6PFZL0UN =snaF - - -----END PGP SIGNATURE----- - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rhipolito@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') - -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPJmRrR7+p9+U2R9aEQK8BwCg86LjYlEJboXccShaibPbHNY84aIAnjYM qsv6k5zwgD6ygPlULdtSruPt =NXTk - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPJmxgB7+p9+U2R9aEQInnACfY5iAqlHqhctBINA1GjEgiEgGn0IAoPvP ux1Disnr/JnoUyzjUtVzbWgC =9nLr -----END PGP SIGNATURE-----