RE: Split DNS Questions...
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Apr 2005 09:01:24 -0500
Hi Ted,
Indeed, the best configuration is that you have dedicated public and
private DNS advertisers and DNS resolvers, and your Active Directory DNS
servers would never be included as a resolver, but instead would use a
trusted resolver that's a cache-only DNS server. I don't see it done
that often, but that's a good way to go.
I see what you're saying about externally hosted resources. In that
case, you would need to include the addresses for the external hosts in
your internal zone, but that's different than mixing the internal and
internal zones themselves, which is not what you're saying here. Good :)
And, you bring up an important use case that I forgot to mention in that
article, but will update it before publishing to ISAserver.org Thanks!
For the others, the key here is that internal users never contact the
external zone DNS server, and the external users never contact the
internal zone server.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 8:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Are you suggesting that you should use recursion for your AD domain? I
would have thought that the higher security would have come from
ensuring that the zone records are within your control thus, no
recursion for the internal domain and external records are entered
manually into the internal DNS.
I guess this is assuming that there are some externally hosted resources
using the AD domain name that require access from the internal network.
I would never attempt to say that a zone transfer should be done though.
I read your article Tom and think it is a good lesson to too many
people.
Ted Doholis
SaltSpring Software Inc.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 9:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
Hi Ted,
That's not a good way to go. You should never mix your internal and
external zones. A common error, from a security point of view, is to
place your external zone records on your internal zone DNS server. The
key to a good split DNS is that your external zones are completely
separate from your external zones, and that your external zone DNS
servers are advertisers only, they should never be resolvers and they
should be protected against cache pollution.
Check out:
http://www.msfirewall.org/isa2004/splitdns/2004illegaltldsplitdns.htm
For a high-level discussion of these issues.
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Ted Doholis [mailto:tdoholis@xxxxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 8:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Split DNS Questions...
http://www.ISAserver.org
The problem you are having doesn't seem to be due to either having or
not having split DNS.
You are having issues with email not being accepted because there is no
reverse DNS.
Whoever hosts your DNS and is responsible for your domain name should
have the whole zone file for forward and reverse DNS and all you need to
do is ask them to host a reverse DNS entry for the IP that doesn't have
one.
If your internal and external domain names are the same, and you are an
AD shop then you should already have split DNS?? Just add the entries
for those sites that you are hairpinning for to your internal DNS.
TD
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, April 20, 2005 9:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Split DNS Questions...
http://www.ISAserver.org
I haven't really looked into using a Split DNS before because what we
had was working "okay". However, I'm running into a few issues that
make me wonder if a split DNS would be appropriate for our situation.
- We do use the same domain name for the internal network, as is
publicly available. Sounds like a perfect situation for a split DNS...
- Accessing our own website acts like it's coming from the outside. The
ISA logs show it coming in and going out of the internal network, but
passing right by the web publishing policy, and hitting my last policy
for IntraNet All Protocols. I don't mind it passing through the ISA
server, as it doesn't put much of a load on it and I can then see it in
the reports. However, I'd like to be able to have it recognize the
local connection, and provide authentication.
- Since installing Rain Connect, we've been having troubles with some
outgoing e-mails. Apparently, one of our IP addresses doesn't have a
reverse DNS entry for it, and many organizations won't accept it if they
can't do a reverse lookup. So I redirected all TCP port 25 traffic
through one of our ISPs. However, whenever that link goes down (and
cable modems go down at least once an hour), it redirects the traffic
through the other port, and we get some rejected messages. Trying to
clear this up with our ISP doesn't seem to be working, so maybe running
our own (split) DNS server would clear it up?
- Along with the last one comment, we plan on adding a few more ISPs in
the future, and removing others. I personally think it would be much
easier to do these updates if we ran our own (public) DNS server,
instead of the hassle of trying to get all ISPs to change entries all
the time.
So what do you think? Good scenario for a Split DNS?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tdoholis@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
