http://www.ISAserver.org
-------------------------------------------------------
Yeah except when your are bound by requiring authentication on web proxy
clients on your internal network and you have machines that dont talk
integrated auth. Or in the example where the default gateway of the machines
is not the ISA Server itself.
I wish i could have that amount of faith in my isp but i can recall a number
of times in the last few years when even the biggest ISP here has had its
dns server/servers go belly up for a period of time. Regardless of the fact
that my connection is still stable and people can still get to me. Now maybe
that comes down to the price we pay or the level of service/quality but, you
live with what you can and i dare say we are by far not the worst off in
that respect.
anyhow, like i said i agree with the concept fully and would always strive
to make it as secure and functional as possible but im merely trying to
illustrate that every situation is different and whats good for the goose is
not good for the gander, always.
Greg
http://www.ISAserver.org -------------------------------------------------------
Even with other clients, the web proxy handles that. So unless you have to have a linux box be able to telnet out to a host name or something then you're still covered. Worst case, just make them SNAT clients and allow them to hit the DMZ DNS server based on IP... Problem solved, same level of protection, just with noted exceptions as they may occur.
And I've already got reliance on my ISP. I mean, they're my ISP. If I hosted my own DNS that was published (a scenario I already outlined) and they had problems, people couldn't reach my DNS servers anyway. So that's kind of a moot point.
With any of the commercial grade providers here servicing corporate clients it's a no brainer. But even if you had to publish it yourself, you could basically arrive at the same thing with perimeter networks or whatever.
Point is, the general configuration has everything to offer, and nothing to lose other than what you would have already lost for your "special" circumstances anyway. Better security, better performance, flexible administration. If you've got to work around "proper" solutions because you don't have ISP's that are worth a crap, then you're not really addressing the true problem...
t
http://www.ISAserver.org ------------------------------------------------------- Agree with the not allowing lan boxes udp 53 out and in..
however.. in a mixed environment where you have unix/linux/vms and other non ms machines where the FWC is not available it kinda doesn't work. also the whole premise is based on a reliance on the ISP, im sure they would understand your concerns when your dns namespace resolution is up the spout and would be very prompt in fixing your problem. Ive had issues with most of the ISP's (at least in AUS) and my decision to rely on them dies as long as am here.
.02 , Thanks
Greg
----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Thursday, October 19, 2006 1:50 PM
Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
I've found that many people seem to dance over the security ramifications of
DNS/forwarders when designing an infrastructure. I had some off-list
conversations about this, and thought that it may be valuable to fully
flesh-out what I think the issues are and how to avoid them. Now's also
probably a good time to share my "trick" regarding publicly available DNS
and minimizing service exposure. So, for the benefit of those who are
interested:
When AD DNS is configured as a forwarder, all domain members using that DNS
server will be able to resolve hostnames directly from their IP stack.
There is no operational reason to have this-- when one considers that most
spyware/malware/trojans/backdoors/shells/etc typically depend on hostname
lookups for direct access to a resource, the capability of a client box to
perform direct host lookups outside your network should (to me) be
considered unwanted and un-needed. Personally, I qualify it as "dangerous."
That's why I always configure my AD DNS with a root (.) zone- that way, only
local zones may be queried by the client's stack. I typically only use web
proxy clients for HTTP(S)/FTP where all DNS is proxied by the ISA box. If
one needs direct DNS for another application (say DOS FTP) then use the FWC
and all DNS will be resolved over the control channel, still being proxied
by the ISA server.
The ISA server itself will have whatever "public" DNS server configured in
its stack so that it can do the resolution for the clients.
Not only is direct client DNS "dangerous," but having an AD box set up as a
forwarder is "dangerous" as well as the box must be configured to access a
remote resource over TCP/UDP 53. This also means that you've opened that
box up for incoming traffic on TCP/UDP 53 as well. Having static paths into
your internal network from source port routing is crazy. I can push
anything I want over 53, not just DNS (and have ;). Remember, the DNS
filter is only for published DNS servers, not clients requesting DNS
lookups.
But there is the issue of one wanting complete control over host names and
the need to publish your own DNS. This is what the DMZ is for. The DMZ box
is set as a forwarding server, and the internal ISA box is set to use that
box for all DNS requests. In this way, only the ISA box itself need to
request DNS outside the internal network, and it is already protected. In
this manner, there is no DNS leaving the internal network at all, and no
static ports into the internal network-- only the ISA box looking up DNS,
and only to that DMZ resource. The DNS server in the DMZ is protected by
the border ISA box, which (where necessary) is publishing DNS to the DMZ for
remote hosts to look up your domain information. And here the DNS filter is
used.
But you can get even better than that-- you can actually be fully in control
of your own zone data without having to actually publish your DNS to the
world if you have a decent ISP.
Here's what I do for that-- I have DMZ DNS servers set up as primary DNS
zones, and have told my ISP to set up their servers as secondary zones for
my domains. The DMZ box can only zone transfer to the IP's of my ISP's DNS
servers. Additionally the DMZ box is set to forward to my ISP's cache
servers. So, at this point, all internal AD DNS is stopped at the
controller, and only the ISA box can resolve DNS and only to the DMZ DNS
server. My internal Exchange clusters' stack resolves to the AD controller,
and they smart host deliver mail to my DMZ GFI gateway, so still no DNS
leaving. The GFI box in the DMZ uses the DMZ DNS.
The trick is that though I'm primary DNS, and though any changes I make to
my DNS hosts are immediately replicated to my ISP as secondary DNS, I've
registered my DNS with the domain registry as my *ISP* being primary. So
the world resolves my host names via my *ISP's* DNS servers, not *mine*. I
don't even have to publish DNS at all.
The end result is that no DNS requests leave my internal network at all,
except for a single DNS box in the DMZ that can only resolve to the ISP DNS
caches. There is no publishing at all, no internal paths, no vulns, nothing
at all since the world resolves to the ISP boxes yet I have full control
over all host name entries.
It's a pretty tight config.
t
On 10/18/06 11:01 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:
http://www.ISAserver.org -------------------------------------------------------
The T-Man is definitely right about this.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, October 18, 2006 12:52 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Why do your internal clients need to resolve DNS directly? I never ever use forwarders on my AD boxes. I always create root zones on my AD DNS servers and only use ISA to resolve DNS for web proxy/fw clients.
That's where what I consider "true" security and separation comes from.
t
On 10/18/06 9:13 AM, "ISA" <ISA@xxxxxxxxxxxxxxxx> spoketh to all:
[mailto:isalist-bounce@xxxxxxxxxxxxx]http://www.ISAserver.org -------------------------------------------------------
This actually has happened with and without forwarders -
Steve, I interpret your suggestion as using only the Root Hints?
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxthe very sameOn Behalf Of Steve Moffat Posted At: Wednesday, October 18, 2006 12:08 PM Posted To: ISA Conversation: [isalist] Re: OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
FWIW.....I have 2 caching only DNS Servers that I setup to use as forwarders for my AD DNS Servers, when I use them, I getissue. If I however, remove them from the forwarderssection, I have no[mailto:isalist-bounce@xxxxxxxxxxxxx]DNS Issues at all whatsoever, anytime.
S
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx[mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of ISA Sent: Wednesday, October 18, 2006 1:03 PM To: ISA Mailing List Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Thanks Mike:
I will try clearing the cache - but this happens now about everyday (morning usually). I really have to find the source of the problem.
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx[mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of Michael Ross Posted At: Wednesday, October 18, 2006 12:01 PM Posted To: ISA Conversation: [isalist] OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Windows 2003 DNS servers? Believe it or not, ive seen that . It's a cache pollution type of behavior, with no logging or other signs to prove that. Try to clear the DNS cache next time and see if it helps.
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxfailure is.On Behalf Of ISA Sent: Wednesday, October 18, 2006 10:59 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Steve: Funny you should say that because I've done that a few times.
DNS stops - I removed the forwards - Restart DNS - DNS works. DNS stops - I change the forwards - Restart DNS - DNS works.
I want to blame my server but I'm just not sure where the[mailto:isalist-bounce@xxxxxxxxxxxxx]
Joseph Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
732-213-0600
www.networkblade.com
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx[mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of Steve Moffat Posted At: Wednesday, October 18, 2006 11:55 AM Posted To: ISA Conversation: [isalist] OT: DNS and Forwarders Subject: [isalist] Re: OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Remove the forwarders.....then see how fast your Internet speed gets...:)
S
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxxWindows DNS/DCOn Behalf Of ISA Sent: Wednesday, October 18, 2006 12:49 PM To: ISA Mailing List Subject: [isalist] OT: DNS and Forwarders
http://www.ISAserver.org -------------------------------------------------------
Hello All -
This might be off-topic, but has anyone every had theirproblems on theirserver intermittently stop forwarding DNS requests?
I checked with the ISP and they don't recognize andend.
JD ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com ------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
