http://www.ISAserver.org
-------------------------------------------------------
mmm have seen anything on that.. have you got an url?
----- Original Message -----
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 25, 2006 12:03 PM
Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
R2-- read only DC for remote branches...
t
On 10/24/06 6:25 PM, "Greg Mulholland" <gmulholland@xxxxxxxxxxxx> spoketh to
all:
http://www.ISAserver.org -------------------------------------------------------
what do you mean by a read only dc? i thought we had to wait for longhorn to
do that?
Greg
----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isalist@xxxxxxxxxxxxx> Sent: Wednesday, October 25, 2006 1:26 AM Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org ------------------------------------------------------- You might consider deploying a "read-only" DC in the branch. This reduces the WAN traffic for logon and AD replication. Logon traffic across the WAN is a nasty thing to handle and troubleshoot. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Tuesday, October 24, 2006 07:33
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org
-------------------------------------------------------
The plan it to move the DC's out of the brand offices altogether.
Conditional forwarding. That might be what I'm looking for.
Thanks,
Amy
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, October 24, 2006 10:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org
-------------------------------------------------------
Hi Amy,
If the internal users need to access main office resources using DNS, then I
think it would be a good idea to move the Internet host name resolution away
from the branch office DCs. You can do this by putting a caching only DNS
server on the ISA Firewall themselves (or on another
machine) and then creating a stub zone or configure conditional forwarding
on those DNS servers so that they send requests for the Internal domain(s)
to the DCs.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, October 24, 2006 9:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
At the branch offices their DNS use is more Internet than contacting internal hosts. There are a lot of DC's in the network currently so there's a lot of chatter going on. This would be a temporary move until I can get rid of some of the DC's. They really aren't necessary.
Amy
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, October 24, 2006 9:52 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
I don't have any cache-only DNS servers in my infrastructure, but my ISP does (in addition to the "standard" redundant servers) so I use those for my DMZ DNS server's lookups...
How will making the branch servers cache only cut down on DNS traffic? What's the difference between the cache only server fetching the record compared to the AD update? Or are there that many hosts that no one is ever trying to reach that it will make a difference?
t
On 10/23/06 6:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all:
network wherehttp://www.ISAserver.org -------------------------------------------------------
Thor,
Do you put any cache only servers in the mix? I've got athere are DC's running DNS at branch offices and I'm thinking ofmaking[mailto:isalist-bounce@xxxxxxxxxxxxx]those only cache servers to reduce some network traffic.
Amy
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxsome off-listOn Behalf Of Thor (Hammer of God) Sent: Wednesday, October 18, 2006 11:50 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
I've found that many people seem to dance over the security ramifications of DNS/forwarders when designing an infrastructure. I hadconversations about this, and thought that it may bevaluable to fullyflesh-out what I think the issues are and how to avoid them. Now'salsoprobably a good time to share my "trick" regarding publiclyavailablethose who areDNS and minimizing service exposure. So, for the benefit ofthatinterested:
When AD DNS is configured as a forwarder, all domain members usingtheir IP stack.DNS server will be able to resolve hostnames directly fromThere is no operational reason to have this-- when oneconsiders thatboxmost spyware/malware/trojans/backdoors/shells/etc typically depend on hostname lookups for direct access to a resource, the capability of a clientway,to perform direct host lookups outside your network should (to me) be considered unwanted and un-needed. Personally, I qualify it as "dangerous."
That's why I always configure my AD DNS with a root (.) zone- thatuseonly local zones may be queried by the client's stack. I typically onlythe ISA box.web proxy clients for HTTP(S)/FTP where all DNS is proxied bytheIf one needs direct DNS for another application (say DOS FTP) then useconfiguredFWC and all DNS will be resolved over the control channel, still being proxied by the ISA server.
The ISA server itself will have whatever "public" DNS serverbox set upin its stack so that it can do the resolution for the clients.
Not only is direct client DNS "dangerous," but having an ADaccessas a forwarder is "dangerous" as well as the box must be configured topathsa remote resource over TCP/UDP 53. This also means that you've opened that box up for incoming traffic on TCP/UDP 53 as well. Having staticRemember, the DNSinto your internal network from source port routing is crazy. I can push anything I want over 53, not just DNS (and have ;).host namesfilter is only for published DNS servers, not clients requesting DNS lookups.
But there is the issue of one wanting complete control overDMZand the need to publish your own DNS. This is what the DMZ is for. Theset to usebox is set as a forwarding server, and the internal ISA box istothat box for all DNS requests. In this way, only the ISA box itself needrequest DNS outside the internal network, and it is alreadyprotected.In this manner, there is no DNS leaving the internal networkat all, and nois protectedstatic ports into the internal network-- only the ISA box looking up DNS, and only to that DMZ resource. The DNS server in the DMZDMZby the border ISA box, which (where necessary) is publishing DNS to thethefor remote hosts to look up your domain information. And here the DNS filter is used.
But you can get even better than that-- you can actually be fully in control of your own zone data without having to actually publish your DNS toDNSworld if you have a decent ISP.
Here's what I do for that-- I have DMZ DNS servers set up as primaryzones, and have told my ISP to set up their servers assecondary zonesISP'sfor my domains. The DMZ box can only zone transfer to the IP's of myISP's cacheDNS servers. Additionally the DMZ box is set to forward to myDNSservers. So, at this point, all internal AD DNS is stopped at the controller, and only the ISA box can resolve DNS and only to the DMZDNSserver. My internal Exchange clusters' stack resolves to the AD controller, and they smart host deliver mail to my DMZ GFI gateway, so still nomakeleaving. The GFI box in the DMZ uses the DMZ DNS.
The trick is that though I'm primary DNS, and though any changes II'veto my DNS hosts are immediately replicated to my ISP as secondary DNS,registered my DNS with the domain registry as my *ISP*being primary.*mine*.So the world resolves my host names via my *ISP's* DNS servers, notall,I don't even have to publish DNS at all.
The end result is that no DNS requests leave my internal network atexcept for a single DNS box in the DMZ that can only resolve to theISPcontrolDNS caches. There is no publishing at all, no internal paths, no vulns, nothing at all since the world resolves to the ISP boxes yet I have fullspokethover all host name entries.
It's a pretty tight config.
t
On 10/18/06 11:01 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>about everydayto all:
http://www.ISAserver.org -------------------------------------------------------
The T-Man is definitely right about this.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, October 18, 2006 12:52 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Why do your internal clients need to resolve DNS directly? I never ever use forwarders on my AD boxes. I always create root zones on my AD DNS servers and only use ISA to resolve DNS for web proxy/fw clients.
That's where what I consider "true" security and separation comes from.
t
On 10/18/06 9:13 AM, "ISA" <ISA@xxxxxxxxxxxxxxxx> spoketh to all:
[mailto:isalist-bounce@xxxxxxxxxxxxx]http://www.ISAserver.org -------------------------------------------------------
This actually has happened with and without forwarders -
Steve, I interpret your suggestion as using only the Root Hints?
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxthe very sameOn Behalf Of Steve Moffat Posted At: Wednesday, October 18, 2006 12:08 PM Posted To: ISA Conversation: [isalist] Re: OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
FWIW.....I have 2 caching only DNS Servers that I setup to use as forwarders for my AD DNS Servers, when I use them, I getissue. If I however, remove them from the forwarderssection, I have no[mailto:isalist-bounce@xxxxxxxxxxxxx]DNS Issues at all whatsoever, anytime.
S
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxOn Behalf Of ISA Sent: Wednesday, October 18, 2006 1:03 PM To: ISA Mailing List Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Thanks Mike:
I will try clearing the cache - but this happens nowthe problem.(morning usually). I really have to find the source oftimes.[mailto:isalist-bounce@xxxxxxxxxxxxx]
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx[mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of Michael Ross Posted At: Wednesday, October 18, 2006 12:01 PM Posted To: ISA Conversation: [isalist] OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Windows 2003 DNS servers? Believe it or not, ive seen that . It's a cache pollution type of behavior, with no logging or other signs to prove that. Try to clear the DNS cache next time and see if it helps.
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxOn Behalf Of ISA Sent: Wednesday, October 18, 2006 10:59 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Steve: Funny you should say that because I've done that a fewhttp://www.isaserver.org/pages/newsletter.aspfailure is.
DNS stops - I removed the forwards - Restart DNS - DNS works. DNS stops - I change the forwards - Restart DNS - DNS works.
I want to blame my server but I'm just not sure where the[mailto:isalist-bounce@xxxxxxxxxxxxx]
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx[mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of Steve Moffat Posted At: Wednesday, October 18, 2006 11:55 AM Posted To: ISA Conversation: [isalist] OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Remove the forwarders.....then see how fast your Internet speed gets...:)
S
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxWindows DNS/DCOn Behalf Of ISA Sent: Wednesday, October 18, 2006 12:49 PM To: ISA Mailing List Subject: [isalist] OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Hello All -
This might be off-topic, but has anyone every had theirproblems on theirserver intermittently stop forwarding DNS requests?
I checked with the ISP and they don't recognize andend.
JD ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:http://www.isaserver.org/pages/newsletter.aspISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter:ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx