[isalist] Re: OT: DNS and Forwarders

From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Wed, 25 Oct 2006 14:49:59 +1000

http://www.ISAserver.org ------------------------------------------------------- mmm have seen anything on that.. have you got an url?

----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: <isalist@xxxxxxxxxxxxx> Sent: Wednesday, October 25, 2006 12:03 PM Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

R2-- read only DC for remote branches...

On 10/24/06 6:25 PM, "Greg Mulholland" <gmulholland@xxxxxxxxxxxx> spoketh to all:

http://www.ISAserver.org
-------------------------------------------------------

what do you mean by a read only dc? i thought we had to wait for longhorn to do that?

Greg

----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 25, 2006 1:26 AM
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------
You might consider deploying a "read-only" DC in the branch.
This reduces the WAN traffic for logon and AD replication.
Logon traffic across the WAN is a nasty thing to handle and troubleshoot.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------

-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, October 24, 2006 07:33 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders http://www.ISAserver.org ------------------------------------------------------- The plan it to move the DC's out of the brand offices altogether. Conditional forwarding. That might be what I'm looking for. Thanks, Amy -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, October 24, 2006 10:23 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders http://www.ISAserver.org ------------------------------------------------------- Hi Amy, If the internal users need to access main office resources using DNS, then I think it would be a good idea to move the Internet host name resolution away from the branch office DCs. You can do this by putting a caching only DNS server on the ISA Firewall themselves (or on another machine) and then creating a stub zone or configure conditional forwarding on those DNS servers so that they send requests for the Internal domain(s) to the DCs. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Tuesday, October 24, 2006 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

At the branch offices their DNS use is more Internet than contacting
internal hosts. There are a lot of DC's in the network currently so
there's a lot of chatter going on. This would be a temporary move
until I can get rid of some of the DC's. They really aren't necessary.

Amy

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Tuesday, October 24, 2006 9:52 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

I don't have any cache-only DNS servers in my infrastructure, but my
ISP does (in addition to the "standard" redundant servers) so I use
those for my DMZ DNS server's lookups...

How will making the branch servers cache only cut down on DNS traffic?
What's the difference between the cache only server fetching the
record compared to the AD update? Or are there that many hosts that
no one is ever trying to reach that it will make a difference?


On 10/23/06 6:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
spoketh to all:

http://www.ISAserver.org
-------------------------------------------------------
Thor,
Do you put any cache only servers in the mix? I've got a

network where

there are DC's running DNS at branch offices and I'm thinking of

making

those only cache servers to reduce some network traffic.

Amy


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of Thor (Hammer of God)
Sent: Wednesday, October 18, 2006 11:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

I've found that many people seem to dance over the security
ramifications of DNS/forwarders when designing an infrastructure. I
had

some off-list

conversations about this, and thought that it may be

valuable to fully

flesh-out what I think the issues are and how to avoid them. Now's

also

probably a good time to share my "trick" regarding publicly

available

DNS
and minimizing service exposure. So, for the benefit of

those who are

interested:
When AD DNS is configured as a forwarder, all domain members using

that

DNS
server will be able to resolve hostnames directly from

their IP stack.

There is no operational reason to have this-- when one

considers that

most
spyware/malware/trojans/backdoors/shells/etc typically depend on
hostname lookups for direct access to a resource, the capability of
a client

box

to
perform direct host lookups outside your network should (to me) be
considered unwanted and un-needed. Personally, I qualify it as
"dangerous."
That's why I always configure my AD DNS with a root (.) zone- that

way,

only
local zones may be queried by the client's stack. I typically only

use

web
proxy clients for HTTP(S)/FTP where all DNS is proxied by

the ISA box.

If
one needs direct DNS for another application (say DOS FTP) then use

the

FWC
and all DNS will be resolved over the control channel, still being
proxied by the ISA server.
The ISA server itself will have whatever "public" DNS server

configured

in
its stack so that it can do the resolution for the clients.
Not only is direct client DNS "dangerous," but having an AD

box set up

as a
forwarder is "dangerous" as well as the box must be configured to

access

a
remote resource over TCP/UDP 53. This also means that you've opened
that box up for incoming traffic on TCP/UDP 53 as well. Having
static

paths

into
your internal network from source port routing is crazy. I can push
anything I want over 53, not just DNS (and have ;).

Remember, the DNS

filter is only for published DNS servers, not clients requesting DNS
lookups.
But there is the issue of one wanting complete control over

host names

and
the need to publish your own DNS. This is what the DMZ is for. The

DMZ

box
is set as a forwarding server, and the internal ISA box is

set to use

that
box for all DNS requests. In this way, only the ISA box itself need

to

request DNS outside the internal network, and it is already

protected.

In
this manner, there is no DNS leaving the internal network

at all, and
no

static ports into the internal network-- only the ISA box looking up
DNS, and only to that DMZ resource. The DNS server in the DMZ

is protected

by
the border ISA box, which (where necessary) is publishing DNS to the

DMZ

for
remote hosts to look up your domain information. And here the DNS
filter is used.

But you can get even better than that-- you can actually be fully in
control of your own zone data without having to actually publish
your DNS to

the

world if you have a decent ISP.
Here's what I do for that-- I have DMZ DNS servers set up as primary

DNS

zones, and have told my ISP to set up their servers as

secondary zones

for
my domains. The DMZ box can only zone transfer to the IP's of my

ISP's

DNS
servers. Additionally the DMZ box is set to forward to my

ISP's cache

servers. So, at this point, all internal AD DNS is stopped at the
controller, and only the ISA box can resolve DNS and only to the DMZ

DNS

server. My internal Exchange clusters' stack resolves to the AD
controller, and they smart host deliver mail to my DMZ GFI gateway,
so still no

DNS

leaving. The GFI box in the DMZ uses the DMZ DNS.
The trick is that though I'm primary DNS, and though any changes I

make

to
my DNS hosts are immediately replicated to my ISP as secondary DNS,

I've

registered my DNS with the domain registry as my *ISP*

being primary.

So
the world resolves my host names via my *ISP's* DNS servers, not

*mine*.

I
don't even have to publish DNS at all.
The end result is that no DNS requests leave my internal network at

all,

except for a single DNS box in the DMZ that can only resolve to the

ISP

DNS
caches. There is no publishing at all, no internal paths, no vulns,
nothing at all since the world resolves to the ISP boxes yet I have
full

control

over all host name entries.
It's a pretty tight config.
t
On 10/18/06 11:01 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>

spoketh

to
all:

http://www.ISAserver.org
-------------------------------------------------------

The T-Man is definitely right about this.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
God)
Sent: Wednesday, October 18, 2006 12:52 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Why do your internal clients need to resolve DNS directly? I
never ever use forwarders on my AD boxes. I always create root
zones on my AD DNS servers and only use ISA to resolve DNS for web
proxy/fw clients.

That's where what I consider "true" security and separation comes
from.


On 10/18/06 9:13 AM, "ISA" <ISA@xxxxxxxxxxxxxxxx> spoketh to all:

http://www.ISAserver.org
-------------------------------------------------------


This actually has happened with and without forwarders -

Steve, I interpret your suggestion as using only the Root Hints?

Joseph Danielsen, MCSA-Messaging, MCP

Network Blade Inc.

49 Marcy Street

Somerset, NJ 08873

732-213-0600

www.networkblade.com


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of Steve Moffat
Posted At: Wednesday, October 18, 2006 12:08 PM Posted To: ISA
Conversation: [isalist] Re: OT: DNS and Forwarders
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

FWIW.....I have 2 caching only DNS Servers that I setup to use as
forwarders for my AD DNS Servers, when I use them, I get

the very same

issue. If I however, remove them from the forwarders

section, I have no

DNS Issues at all whatsoever, anytime.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of ISA
Sent: Wednesday, October 18, 2006 1:03 PM
To: ISA Mailing List
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Thanks Mike:

I will try clearing the cache - but this happens now

about everyday

(morning usually). I really have to find the source of

the problem.


Joseph Danielsen, MCSA-Messaging, MCP

Network Blade Inc.

49 Marcy Street

Somerset, NJ 08873

732-213-0600

www.networkblade.com


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of Michael Ross
Posted At: Wednesday, October 18, 2006 12:01 PM Posted To: ISA
Conversation: [isalist] OT: DNS and Forwarders
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Windows 2003 DNS servers?
Believe it or not, ive seen that . It's a cache pollution type of
behavior, with no logging or other signs to prove that.
Try to clear the DNS cache next time and see if it helps.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of ISA
Sent: Wednesday, October 18, 2006 10:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Steve: Funny you should say that because I've done that a few

times.

DNS stops - I removed the forwards - Restart DNS - DNS works.
DNS stops - I change the forwards - Restart DNS - DNS works.
I want to blame my server but I'm just not sure where the

failure is.


Joseph Danielsen, MCSA-Messaging, MCP

Network Blade Inc.

49 Marcy Street

Somerset, NJ 08873

732-213-0600

www.networkblade.com


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of Steve Moffat
Posted At: Wednesday, October 18, 2006 11:55 AM Posted To: ISA
Conversation: [isalist] OT: DNS and Forwarders
Subject: [isalist] Re: OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Remove the forwarders.....then see how fast your Internet speed
gets...:)

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx

[mailto:isalist-bounce@xxxxxxxxxxxxx]

On Behalf Of ISA
Sent: Wednesday, October 18, 2006 12:49 PM
To: ISA Mailing List
Subject: [isalist] OT: DNS and Forwarders

http://www.ISAserver.org
-------------------------------------------------------

Hello All -

This might be off-topic, but has anyone every had their

Windows DNS/DC

server intermittently stop forwarding DNS requests?
I checked with the ISP and they don't recognize and

problems on their

end.

JD
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: