RE: DNS server mapping
- From: "Rodel P Hipolito" <rhipolito@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 21 Mar 2002 18:10:24 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thank you guys for that great help!!! More power to all!!
- - -----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Wednesday, March 20, 2002 2:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping
http://www.ISAserver.org
Hi Tom,
I will try that setup to see if it removes the hits from other
sources. I'll let you know my results.
Joseph
- - -----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, March 19, 2002 10:07 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping
http://www.ISAserver.org
Hi Joseph,
One thing you can do it make your box a root server, or just remove
the root hints file so that it can perform recursion. That way, the
box answers only for domains for which it is authoritative, and drops
the other requests. Now, this is easy for me to day, but I haven't
tested it out live yet, so YMMV :-)
Tom
www.isaserver.org/shinder
- - -----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Tuesday, March 19, 2002 11:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping
http://www.ISAserver.org
Hi Tom,
I agree! One thing that I did was pick up two inexpensive PII 400'S
for 250.00 each that work well for DNS servers. I've not had any
issues with them at all! I suppose if I were receiving a million hits
plus a day I might change the configuration but with load testing
they will support about 5K hits day with out issue.
Now, I have my external DNS servers in the DMZ and the internal
address behind the second firewall in my internal net. I would
highly suggest that others do the same. The maintenance is not hard
at all either.
As just a matter of maintenance I reboot the DNS servers every two
weeks.
I've been testing on completely separate system from my network using
my DMZ DNS servers as the DNS machines. I did notice that they get
hit. Not hard though. But, it would be nice to be able to limit who
can connect to my DNS servers. So, I've not found a rule that would
work. For example if we all started using any DNS server or one
specific DNS server a mini DOS attack could happen. Has anyone else
dealt with how to block others from using your DNS servers as theirs?
Thank you,
Joseph
- - -----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 18, 2002 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping
http://www.ISAserver.org
Hi Joseph,
One thing I don't think I, or Microsoft has made a point of
communicating is how important it is not to use the same machine to
resolve internal and external resources for public users. If you
allow public access to your private DNS servers, cache poisoning can
be a real problem. Someday I'll get around to writing an article on
this issue :-)
Thanks!
Tom
www.isaserver.org/shinder
- - -----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Monday, March 18, 2002 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS server mapping
http://www.ISAserver.org
The incoming listener on your ISA server should be of the same IP
address that your registered name is. At least I've tried to be
consistent in that mater. I would use 202.138.162.245 as your
incoming listener.
The EXPOSED DNS server which contains your external DNS address can
have a private IP address. When you setup your domain on that
machine ie airrelay.biz you would also add an host entry for NS1. I
imagine that you're going to run primary on your DNS.
Then from the ISA server create a destination set for the DNS on
private IP. And then publish that server using the client
destination set.
I would read the article out on isaserver.org that deals with setup
of DNS Before installing ISA.
Joseph
- - -----Original Message-----
From: Rodel P Hipolito [mailto:rhipolito@xxxxxxxxxxxx]
Sent: Monday, March 18, 2002 2:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] DNS server mapping
http://www.ISAserver.org
- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
I have this situation:
============ ==============
|DNS Server|----------------------> | ISA server
|---------------------> Internet
============ 192.168.1.224 ============== 202.138.162.245
192.168.1.251
202.138.162.246
I registered ns1.airrelay.biz with an ip address of 202.138.162.246
but my DNS server's real ip address is 192.168.1.251, I already
published this server on the ISA publishing server features, but
unfortunately, still it cant be resolve from the internet, Any idea
on what should I check?
Thanks for your help guys..and more power to all
Regards.
Rodel P Hipolito
ICT Department
Air Relay Corporation
A: 18th Floor IBM Plaza
Eastwood City Cyberpark
E. Rodriguez Jr. Avenue
Bagumbayan, Quezon City
T: +632-4394860
F: +632-4387904
M: 0917-8166599
W: www.airrelay.biz
E: rhipolito@xxxxxxxxxxxx
======================================================================
====
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.
======================================================================
====
- - -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPJW8GB7+p9+U2R9aEQLInQCfXBBHO6E4hGAYWsjDoaeUOTN6ic8AoMef
3N6Z3srG+Wb01BRM6PFZL0UN
=snaF
- - -----END PGP SIGNATURE-----
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- - ------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: rhipolito@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPJmRrR7+p9+U2R9aEQK8BwCg86LjYlEJboXccShaibPbHNY84aIAnjYM
qsv6k5zwgD6ygPlULdtSruPt
=NXTk
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPJmxgB7+p9+U2R9aEQInnACfY5iAqlHqhctBINA1GjEgiEgGn0IAoPvP
ux1Disnr/JnoUyzjUtVzbWgC
=9nLr
-----END PGP SIGNATURE-----
Other related posts:
