Re: Help - External DNS & SMTP relay
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 6 Oct 2007 10:40:25 -0400
rileymartin <rileymartin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
I purchased static IP address and cablemodem service and need to
install an external DNS server
Do you mean you want to host your domains' public DNS in-house? With a cable
modem?
This is a very bad idea. You need two separate nameservers to do this, and
they shouldn't even be on the same IP subnet.
Nor should any of this touch your LAN at all. Your AD must be kept entirely
separated and protected.
I strongly suggest you rethink this.....it's something best left to an
outside service provider who has a datacenter full of powerful redundant
everything.
and an SMTP relay service for an
internal email server.
Even if you decide to host your public DNS like this, I wouldn't recommend
that you put this service on the same box.
I would like to use Windows 2003 server and
turn on the firewall/ICS that comes with sp2.
The Windows firewall would not be sufficient for this purpose anyway. Sorry
to be a wet blanket, but I think you're asking for a heap o trouble by
trying to do this yourself.
Post in microsoft.public.windows.server.dns for more expert help, but I
suspect you'll be told the same thing by others in there.
I looked up
information on Technet for securing 2003 and DNS and didn't find any
really good documents. What I did find was general information on
Windows firewall/ICS and the general best practices for DNS I have
listed below. Does anyone have any recommendations they can provide?
Thanks.
1) Protect the DNS infrastructure of your organization by utilizing an
internal root and name space.
2) Only the external DNS server is configured with Internet root
hints. 3) All internal DNS servers are configured only with the root
hints pointing to the internal DNS servers hosting the root zone for
your internal name space.
4) All DNS servers run on domain controllers with all DNS zones
stored in Active Directory. Active Directory DACLs are utilized to
secure administration of DNS. All DNS servers are configured with
NTFS as the file system.
5) External DNS resolution is only performed by your external DNS
server. The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers
to specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
8) UDP/TCP port 53 is only open between one of your internal DNS
servers and only your external DNS server through a firewall in your
DMZ. 9) Only secure dynamic DNS updates are allowed for all zones
except for the top-level and root zones, which do not allow dynamic
updates at all. 10) All Internet name resolution is performed using
proxy servers and gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports
TCP and UDP port 53.
.
- Follow-Ups:
- Re: Help - External DNS & SMTP relay
- From: rileymartin
- Re: Help - External DNS & SMTP relay
- References:
- Help - External DNS & SMTP relay
- From: rileymartin
- Help - External DNS & SMTP relay
- Prev by Date: Help - External DNS & SMTP relay
- Next by Date: Re: Help - External DNS & SMTP relay
- Previous by thread: Help - External DNS & SMTP relay
- Next by thread: Re: Help - External DNS & SMTP relay
- Index(es):
Relevant Pages
|
