If your internal dns is managing both internal and external resources it will be difficult to achieve internal and external name resolution as the dns won't be able to determine the correct ip to respond to clients with. In other words internal clients may get external addresses returned to them (somewhat unlikly if netmask ordering is used and clients are on the same segment as the mail server). And more likely external clients may recieve internal ips (not good). Additionally, if this dns server contains ad information making this server availible to internet access opens up public access to your internal namespace, locations of dc's, their names, ips etc (very bad!) What I have done to get around this is set up a dedicated dns which is forwareded to from the ad dns. The dedicated dns only holds public ip information such as mx and a records (with public addresses). This server never transfers zone to or from the ad dns. The dedicated dns does not use dynamic update and is entirely static. This configuration allows clients inside to resolve internal resouces fine as their first dns is the internal one knowing of all the internal resources and their internal ips. Since the dedicated dns is the only isa published dns all internet queries can be pointed at the public side of nat associated with services. Example Dedicated dns says blah.blah.com a 1.1.1.1 mx blah.blah.com mx 1.1.1.1 Then when you publish the mail system use 1.1.1.1 as the public ip and nat to the internal system. This allows mail delivery, web publishing whatever without opening any holes. John
|