Hi Ted, Indeed, the best configuration is that you have dedicated public and private DNS advertisers and DNS resolvers, and your Active Directory DNS servers would never be included as a resolver, but instead would use a trusted resolver that's a cache-only DNS server. I don't see it done that often, but that's a good way to go. I see what you're saying about externally hosted resources. In that case, you would need to include the addresses for the external hosts in your internal zone, but that's different than mixing the internal and internal zones themselves, which is not what you're saying here. Good :) And, you bring up an important use case that I forgot to mention in that article, but will update it before publishing to ISAserver.org Thanks! For the others, the key here is that internal users never contact the external zone DNS server, and the external users never contact the internal zone server. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx] Sent: Wednesday, April 20, 2005 8:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Split DNS Questions... http://www.ISAserver.org Are you suggesting that you should use recursion for your AD domain? I would have thought that the higher security would have come from ensuring that the zone records are within your control thus, no recursion for the internal domain and external records are entered manually into the internal DNS. I guess this is assuming that there are some externally hosted resources using the AD domain name that require access from the internal network. I would never attempt to say that a zone transfer should be done though. I read your article Tom and think it is a good lesson to too many people. Ted Doholis SaltSpring Software Inc. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, April 20, 2005 9:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Split DNS Questions... http://www.ISAserver.org Hi Ted, That's not a good way to go. You should never mix your internal and external zones. A common error, from a security point of view, is to place your external zone records on your internal zone DNS server. The key to a good split DNS is that your external zones are completely separate from your external zones, and that your external zone DNS servers are advertisers only, they should never be resolvers and they should be protected against cache pollution. Check out: http://www.msfirewall.org/isa2004/splitdns/2004illegaltldsplitdns.htm For a high-level discussion of these issues. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx] Sent: Wednesday, April 20, 2005 8:23 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Split DNS Questions... http://www.ISAserver.org The problem you are having doesn't seem to be due to either having or not having split DNS. You are having issues with email not being accepted because there is no reverse DNS. Whoever hosts your DNS and is responsible for your domain name should have the whole zone file for forward and reverse DNS and all you need to do is ask them to host a reverse DNS entry for the IP that doesn't have one. If your internal and external domain names are the same, and you are an AD shop then you should already have split DNS?? Just add the entries for those sites that you are hairpinning for to your internal DNS. TD -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, April 20, 2005 9:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] Split DNS Questions... http://www.ISAserver.org I haven't really looked into using a Split DNS before because what we had was working "okay". However, I'm running into a few issues that make me wonder if a split DNS would be appropriate for our situation. - We do use the same domain name for the internal network, as is publicly available. Sounds like a perfect situation for a split DNS... - Accessing our own website acts like it's coming from the outside. The ISA logs show it coming in and going out of the internal network, but passing right by the web publishing policy, and hitting my last policy for IntraNet All Protocols. I don't mind it passing through the ISA server, as it doesn't put much of a load on it and I can then see it in the reports. However, I'd like to be able to have it recognize the local connection, and provide authentication. - Since installing Rain Connect, we've been having troubles with some outgoing e-mails. Apparently, one of our IP addresses doesn't have a reverse DNS entry for it, and many organizations won't accept it if they can't do a reverse lookup. So I redirected all TCP port 25 traffic through one of our ISPs. However, whenever that link goes down (and cable modems go down at least once an hour), it redirects the traffic through the other port, and we get some rejected messages. Trying to clear this up with our ISP doesn't seem to be working, so maybe running our own (split) DNS server would clear it up? - Along with the last one comment, we plan on adding a few more ISPs in the future, and removing others. I personally think it would be much easier to do these updates if we ran our own (public) DNS server, instead of the hassle of trying to get all ISPs to change entries all the time. So what do you think? Good scenario for a Split DNS? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tdoholis@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx