• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on ISA firewalls protecting illegal TLDs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 [2] 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on ISA firewalls protectin... - 3.Feb.2006 1:02:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: trw2006

now I understand the split dns.  TY       while implementing the instructions in this article i found some decrepancies that happened while i configed my sbs2003 server. 

When entering host A records for the internal side dns i noticed that checking the create pointer resulted in an error message stating i could not do it because i had no reverse lookup zone related to the new forward zone.  So I created them anyway w/o pointers. Is a rev zone needed here? Hmm I saw dozens of other posts elsewhere of stumped people too, not from ur article tho.

On the step where the new zone is created "forward" type was not mentioned but of course it was implied. Newbees like me need the all the details.  Thats not a biggy but not mentioning in the steps that under properties of the new zone, when created, "allow zone transfers" is checked by default and that could be bad as I read.  I only noticed it cuz i check over the properties on all this stuff and some folks arent so thorough.

4/5 stars on this and TY Tom for the great info.  I enjoy and appreciate all your articles.   TW


Hi TRW,

Thanks!

BTW -- there's no problem for you to create the reverse lookup zone.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to trw2006)
Post #: 21
RE: Discussion about article on ISA firewalls protectin... - 10.Feb.2006 8:59:00 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Could you write a step by step guide on how to create those two DNS Servers publishing rules? Thank you

(in reply to tshinder)
Post #: 22
RE: Discussion about article on ISA firewalls protectin... - 12.Feb.2006 7:59:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

Sure, but what two DNS servers are you referring to?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 23
RE: Discussion about article on ISA firewalls protectin... - 13.Feb.2006 9:56:19 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Create Two Server Publishing Rules Publishing Your Public DNS Servers (if you host your own DNS servers)
I you plan on hosting your own DNS servers, then you will need to create two Server Publishing Rules using two different IP addresses on the external interface of the ISA firewall. I highly recommend that you place these DNS servers, which are responsible for the external zone of your split DNS, on an anonymous access DMZ segment. Hosts on this DMZ segment should not have any access to your internal network and no primary connections should be allowed outbound from the DMZ segment. The only outbound traffic from this segment (at least from the DNS servers), should be response traffic in response to DNS queries made via the DNS Server Publishing Rules.
You should take special care in configuring these public DNS servers. Several settings will go a long way to securing the external end of your split DNS:

  • Configure the DNS servers to secure against cache pollution (this is the default for Windows Server 2003 DNS servers)
  • Disable recursion on these DNS servers. You do not want these servers to resolve names for host in domains for which these servers are not authoritative. That is to say, you only want them to answer queries for the zones they host and no others
  • Disable dynamic updates for these zones. You donít want an intruder to take advantage of the Windows DNS dynamic update feature
  • Disable zone transfers from the DNS server. This can be configured in the DNS server Properties dialog box on the Zone Transfers tab
  • Enable only UDP port 53 for the DNS Server Publishing Rule. This prevents attempts to perform a zone transfer from the published DNS server, as a zone transfer will contain too many records to fit into a single UDP datagram
    By applying these DNS configuration options youíll significantly reduce the risk of potential attacks against your DNS server.
     
    Hi Tom,

    The two DNS servers that you mentioned above.

    (in reply to tshinder)
  • Post #: 24
    RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2006 5:18:04 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Jle,

    Oh, those two.

    Its pretty easy, just click the Create a New Server Publishing Rule link on the Tasks tab in the Tasks Pane. Create the first DNS server publishing rule and then repeat the procedure to create the second one.

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to jle2005)
    Post #: 25
    RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2006 11:16:37 PM   
    dglasgow

     

    Posts: 21
    Joined: 9.Jun.2003
    Status: offline
    I am trying to implement Split DNS, but my problem is as follows. I have web sites hosted ON the ISA 2004 server. These sites are on a port different from 80 (they use 9999) and rely on host headers. When I implement the split dns, internal clients are not able to access the web sites because (I believe) the dns is pointing them to the IP, but not the correct port. Nslookup shows that internal clients are properly seeing the correct ip address for the fqdn. Any suggestions?

    (in reply to tshinder)
    Post #: 26
    RE: Discussion about article on ISA firewalls protectin... - 20.Feb.2006 2:21:17 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    quote:

    ORIGINAL: dglasgow

    I am trying to implement Split DNS, but my problem is as follows. I have web sites hosted ON the ISA 2004 server. These sites are on a port different from 80 (they use 9999) and rely on host headers. When I implement the split dns, internal clients are not able to access the web sites because (I believe) the dns is pointing them to the IP, but not the correct port. Nslookup shows that internal clients are properly seeing the correct ip address for the fqdn. Any suggestions?


    Even though you should never host Web sites on a firewall (violates every security principle you can imagine, and then more than you can image), a split DNS will work. But it creates more issues (what would you expect) than if you configured a secure infrastructure.

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to dglasgow)
    Post #: 27
    RE: Discussion about article on ISA firewalls protectin... - 20.Feb.2006 2:55:35 PM   
    dglasgow

     

    Posts: 21
    Joined: 9.Jun.2003
    Status: offline
    FWIW, I re-read your article on disabling socketpooling and decided to try using port 80 on the internal IP web sites anyway (I was previously using 9999 so as not to conflict with the external web listener). I did this as you indicated in the article that the "httpcfg set iplisten" would bind the driver to the IP without the need to specify ports. As it happens, it fixed the problem and seems to work perfectly. So thank indirectly for the help!
     
    We hope to move our web site to different internal boxes in the near future...

    (in reply to tshinder)
    Post #: 28
    RE: Discussion about article on ISA firewalls protectin... - 26.Feb.2006 7:59:00 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi D,

    Good to hear you got it working and thanks for the follow up!

    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to dglasgow)
    Post #: 29
    RE: Discussion about article on ISA firewalls protectin... - 31.Mar.2006 11:51:06 AM   
    fcc

     

    Posts: 3
    Joined: 15.Mar.2006
    Status: offline

    Hello Tom,
     
     
    My reality is:
     
    -         We have only ONE public is adress.
    -         We do not have ( And will not have ) a public Zone / DMZ
    -         We use an illegal Tol-level Domain, not only that but we use the mydomain.local internally. I know that you are against this, but I inherit this and now I have to live with it. J
     
     
    I have been reading most of your great and most enlightening articles & tutorials, all so in your book all refer to scenarios with a public dns server witch we donít have.
     
    I understand ( Or at least I think I do )  the process to set up a split-dns if you have a internal and external side but Iím stuck because I donít have an external  side.
     
     
    -         So is it possible to implement a split-dns with my infrastructure?
    -         If so can you tell me how to go about that, since I donít have an outside dns server with an external ip address pointing to the exchange/www/ftp server, I just donít know out to go around this.
     
     
    Thanks

    (in reply to tshinder)
    Post #: 30
    RE: Discussion about article on ISA firewalls protectin... - 1.Apr.2006 9:28:15 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Fcc,

    You can get a public DNS server. You can use a DDNS provider like TZO and register an external zone there.

    For example, register mydomain.com and then have that hosted by the DDNS provider. You can do this with both static or dynamic addresses.

    Then create the a zone interally with the same name, and create host records with the actual internal addresses of those servers.

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to fcc)
    Post #: 31
    RE: Discussion about article on ISA firewalls protectin... - 1.Apr.2006 11:18:43 PM   
    elmajdal

     

    Posts: 6022
    Joined: 16.Sep.2004
    From: Lebanese in Kuwait
    Status: offline
    Hi Fcc,

    quote:


    You can get a public DNS server. You can use a DDNS provider like TZO and register an external zone there.
     

    Tom is speaking about this : Configuring the ISA Firewall to Support TZO Dynamic DNS Services




    < Message edited by elmajdal -- 1.Apr.2006 11:20:43 PM >


    _____________________________

    Tarek Majdalani

    Windows Expert - IT Pro MVP
    Facebook : https://www.facebook.com/ElMajdal.Net

    (in reply to tshinder)
    Post #: 32
    RE: Discussion about article on ISA firewalls protectin... - 3.Apr.2006 2:09:21 PM   
    fcc

     

    Posts: 3
    Joined: 15.Mar.2006
    Status: offline
    Hi,
     
    Thanks for your reply, Iím going to subscribe with TZO and try to set it up.
     
    Once again Thanks.

    Fcc

    (in reply to elmajdal)
    Post #: 33
    RE: Discussion about article on ISA firewalls protectin... - 5.Apr.2006 5:06:45 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Fcc,

    I've been using TZO for almost ten years, and its a great service.

    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to fcc)
    Post #: 34
    RE: Discussion about article on ISA firewalls protectin... - 1.May2006 7:07:31 PM   
    altmantc

     

    Posts: 1
    Joined: 1.May2006
    Status: offline
    quote:

    ORIGINAL: PietjePuck

    Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.


    Could you please give a short example on setting this up?  I'm in the process of setting up a SBS and I'm trying to decide how to setup the Active Directory domain name, etc.  I'd really like to try to get it setup this way if possible.  Could I make the active directory name domain.com or would the server's active directory name need to be office.domain.com?  Then what would I need to setup on the internal server and on the public DNS server? (i.e. how do I go about setting up the office.domain.com entries)

    < Message edited by altmantcunix -- 2.May2006 3:38:17 AM >

    (in reply to PietjePuck)
    Post #: 35
    RE: Discussion about article on ISA firewalls protectin... - 29.Jun.2006 8:45:20 PM   
    rrao

     

    Posts: 1
    Joined: 29.Jun.2006
    Status: offline
    Love the article. But I have a slightly different setup than what you've used. I am currently using the firewall that is provided by SBS 2003, instead of ISA. Given this setup and following the instructions on setting up the split-dns, I am only able to view the default page on the SBS server default website. The website that I am trying to access from the internet sits on a seperate Win 2003 server on the intranet, with the internal dns pointing to it with an A record.

    I've opened up the firewall to allow access to the whole web site, but it still returns the default page. I can view the website on the intranet. Please let me know what I need to do to resolve this issue. I have a firewall router interfacing with the internet and the SBS server sits behind it.

    Rahul.

    (in reply to tshinder)
    Post #: 36
    RE: Discussion about article on ISA firewalls protectin... - 30.Jun.2006 5:18:31 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    quote:

    ORIGINAL: altmantc

    quote:

    ORIGINAL: PietjePuck

    Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.


    Could you please give a short example on setting this up?  I'm in the process of setting up a SBS and I'm trying to decide how to setup the Active Directory domain name, etc.  I'd really like to try to get it setup this way if possible.  Could I make the active directory name domain.com or would the server's active directory name need to be office.domain.com?  Then what would I need to setup on the internal server and on the public DNS server? (i.e. how do I go about setting up the office.domain.com entries)


    Hi Pietje,

    I'm not quite sure what the problem is. The article should have a lot of examples on how to do this. Are you looking for a step by step on how to configure internal and external zones?

    Thanks!
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to altmantc)
    Post #: 37
    RE: Discussion about article on ISA firewalls protectin... - 30.Jun.2006 5:20:11 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    quote:

    ORIGINAL: rrao

    Love the article. But I have a slightly different setup than what you've used. I am currently using the firewall that is provided by SBS 2003, instead of ISA. Given this setup and following the instructions on setting up the split-dns, I am only able to view the default page on the SBS server default website. The website that I am trying to access from the internet sits on a seperate Win 2003 server on the intranet, with the internal dns pointing to it with an A record.

    I've opened up the firewall to allow access to the whole web site, but it still returns the default page. I can view the website on the intranet. Please let me know what I need to do to resolve this issue. I have a firewall router interfacing with the internet and the SBS server sits behind it.

    Rahul.



    Hi Rahul,
    That's why you would benefit from a stateful packet and application layer inspection firewall like ISA. You could do this with an ISA firewall in front of your network.

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to rrao)
    Post #: 38
    RE: Discussion about article on ISA firewalls protectin... - 30.Jun.2006 5:49:25 PM   
    jle2005

     

    Posts: 37
    Joined: 19.Jan.2006
    Status: offline
    Hello Tom,

    I've followed your instruction to create two rules to publish my public DNS Servers, howerver, when I try to do a nslookup for my domain I got the private IP address of my public DNS Servers. Is there anyway that I can hide the private IP address on my public DNS Servers and map it to a public IP address instead? Thanks

    (in reply to tshinder)
    Post #: 39
    RE: Discussion about article on ISA firewalls protectin... - 30.Jun.2006 8:42:16 PM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Jle,

    Is this from an external client?

    Thanks!
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to jle2005)
    Post #: 40

    Page:   <<   < prev  1 [2] 3 4 5   next >   >> << Older Topic    Newer Topic >>
    All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 [2] 3 4 5   next >   >>
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts