Is the mail server on the internet or behind
ISA server ?

Also, can you correctly resolve the Name to
the right IP address or the mail server from
the client machine ?

------------------
Regards

Sandro Gauci,
GFI Security Labs.
sandro@gfi.com

------------------
Regards

Sandro Gauci,
GFI Security Labs.
sandro@gfi.com

In other words internal clients may get external addresses returned to them (somewhat unlikly if netmask ordering is used and clients are on the same segment as the mail server). And more likely external clients may recieve internal ips (not good).

Additionally, if this dns server contains ad information making this server availible to internet access opens up public access to your internal namespace, locations of dc's, their names, ips etc (very bad!)

What I have done to get around this is set up a dedicated dns which is forwareded to from the ad dns. The dedicated dns only holds public ip information such as mx and a records (with public addresses). This server never transfers zone to or from the ad dns. The dedicated dns does not use dynamic update and is entirely static.

This configuration allows clients inside to resolve internal resouces fine as their first dns is the internal one knowing of all the internal resources and their internal ips.

Since the dedicated dns is the only isa published dns all internet queries can be pointed at the public side of nat associated with services.

Example

Dedicated dns says blah.blah.com a 1.1.1.1
mx blah.blah.com mx 1.1.1.1

Then when you publish the mail system use 1.1.1.1 as the public ip and nat to the internal system. This allows mail delivery, web publishing whatever without opening any holes.

John

Never, EVER put your internal records on a live server! If you're gonna use the same domain name for internal and external resources, you have going to have to maintain two separate and distinct DNS zone database files.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/