• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Name Resolution

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Name Resolution Page: [1]
Login
Message << Older Topic   Newer Topic >>
Name Resolution - 6.Apr.2001 9:55:00 AM   
10thLTR

 

Posts: 18
Joined: 30.Mar.2001
Status: offline
I have laptop users that plug into the internet on both sides of the firewall. When they plug into the network their pop accounts don't work any more. That's because mail.domain.com is pointing to the internet IP. Does ISA redirect name resolution?
Post #: 1
RE: Name Resolution - 6.Apr.2001 11:31:00 AM   
Sandro Gauci

 

Posts: 68
Joined: 30.Jan.2001
From: Malta
Status: offline
Hi 10thLTR

Is the mail server on the internet or behind
ISA server ?

Also, can you correctly resolve the Name to
the right IP address or the mail server from
the client machine ?

------------------
Regards

Sandro Gauci,
GFI Security Labs.

sandro@gfi.com


(in reply to 10thLTR)
Post #: 2
RE: Name Resolution - 6.Apr.2001 5:10:00 PM   
10thLTR

 

Posts: 18
Joined: 30.Mar.2001
Status: offline
Yes the mailserver is behind the firewall, and no the clients can't resolve name to the internal IP. The clients resolve the name to the interney IP.

(in reply to 10thLTR)
Post #: 3
RE: Name Resolution - 6.Apr.2001 5:53:00 PM   
Sandro Gauci

 

Posts: 68
Joined: 30.Jan.2001
From: Malta
Status: offline
Then I think you should configure the
internal DNS server to respond with the
Internal IP of the mail server, and
configure the clients to use the internal
DNS server.


------------------
Regards

Sandro Gauci,
GFI Security Labs.

sandro@gfi.com


(in reply to 10thLTR)
Post #: 4
RE: Name Resolution - 6.Apr.2001 6:14:00 PM   
10thLTR

 

Posts: 18
Joined: 30.Mar.2001
Status: offline
Bare with me Sandro I have just one more silly question for you. My internal DNS is also a live DNS server. If I make this change on the server won't it update the change to the internet?

(in reply to 10thLTR)
Post #: 5
RE: Name Resolution - 6.Apr.2001 8:02:00 PM   
JTSANS

 

Posts: 20
Joined: 26.Feb.2001
Status: offline
You COULD just make a new host table entry on each of the clients. For instance, you could use the name 'popmail' with the internal IP address of the real mail server. Just configure the pop accounts to use the name popmail instead of the real name. I believe that the table entry will take priority over a DNS lookup.

(in reply to 10thLTR)
Post #: 6
RE: Name Resolution - 6.Apr.2001 8:16:00 PM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
If your internal dns is managing both internal and external resources it will be difficult to achieve internal and external name resolution as the dns won't be able to determine the correct ip to respond to clients with.

In other words internal clients may get external addresses returned to them (somewhat unlikly if netmask ordering is used and clients are on the same segment as the mail server). And more likely external clients may recieve internal ips (not good).

Additionally, if this dns server contains ad information making this server availible to internet access opens up public access to your internal namespace, locations of dc's, their names, ips etc (very bad!)

What I have done to get around this is set up a dedicated dns which is forwareded to from the ad dns. The dedicated dns only holds public ip information such as mx and a records (with public addresses). This server never transfers zone to or from the ad dns. The dedicated dns does not use dynamic update and is entirely static.

This configuration allows clients inside to resolve internal resouces fine as their first dns is the internal one knowing of all the internal resources and their internal ips.

Since the dedicated dns is the only isa published dns all internet queries can be pointed at the public side of nat associated with services.

Example

Dedicated dns says blah.blah.com a 1.1.1.1
mx blah.blah.com mx 1.1.1.1

Then when you publish the mail system use 1.1.1.1 as the public ip and nat to the internal system. This allows mail delivery, web publishing whatever without opening any holes.

John


(in reply to 10thLTR)
Post #: 7
RE: Name Resolution - 7.Apr.2001 10:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Amen, John!

Never, EVER put your internal records on a live server! If you're gonna use the same domain name for internal and external resources, you have going to have to maintain two separate and distinct DNS zone database files.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to 10thLTR)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Name Resolution Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts