now I understand the split dns. TY while implementing the instructions in this article i found some decrepancies that happened while i configed my sbs2003 server.
When entering host A records for the internal side dns i noticed that checking the create pointer resulted in an error message stating i could not do it because i had no reverse lookup zone related to the new forward zone. So I created them anyway w/o pointers. Is a rev zone needed here? Hmm I saw dozens of other posts elsewhere of stumped people too, not from ur article tho.
On the step where the new zone is created "forward" type was not mentioned but of course it was implied. Newbees like me need the all the details. Thats not a biggy but not mentioning in the steps that under properties of the new zone, when created, "allow zone transfers" is checked by default and that could be bad as I read. I only noticed it cuz i check over the properties on all this stuff and some folks arent so thorough.
4/5 stars on this and TY Tom for the great info. I enjoy and appreciate all your articles. TW
Hi TRW,
Thanks!
BTW -- there's no problem for you to create the reverse lookup zone.
Create Two Server Publishing Rules Publishing Your Public DNS Servers (if you host your own DNS servers) I you plan on hosting your own DNS servers, then you will need to create two Server Publishing Rules using two different IP addresses on the external interface of the ISA firewall. I highly recommend that you place these DNS servers, which are responsible for the external zone of your split DNS, on an anonymous access DMZ segment. Hosts on this DMZ segment should not have any access to your internal network and no primary connections should be allowed outbound from the DMZ segment. The only outbound traffic from this segment (at least from the DNS servers), should be response traffic in response to DNS queries made via the DNS Server Publishing Rules. You should take special care in configuring these public DNS servers. Several settings will go a long way to securing the external end of your split DNS:
Configure the DNS servers to secure against cache pollution (this is the default for Windows Server 2003 DNS servers)
Disable recursion on these DNS servers. You do not want these servers to resolve names for host in domains for which these servers are not authoritative. That is to say, you only want them to answer queries for the zones they host and no others
Disable dynamic updates for these zones. You don’t want an intruder to take advantage of the Windows DNS dynamic update feature
Disable zone transfers from the DNS server. This can be configured in the DNS server Properties dialog box on the Zone Transfers tab
Enable only UDP port 53 for the DNS Server Publishing Rule. This prevents attempts to perform a zone transfer from the published DNS server, as a zone transfer will contain too many records to fit into a single UDP datagram By applying these DNS configuration options you’ll significantly reduce the risk of potential attacks against your DNS server.
Its pretty easy, just click the Create a New Server Publishing Rule link on the Tasks tab in the Tasks Pane. Create the first DNS server publishing rule and then repeat the procedure to create the second one.
I am trying to implement Split DNS, but my problem is as follows. I have web sites hosted ON the ISA 2004 server. These sites are on a port different from 80 (they use 9999) and rely on host headers. When I implement the split dns, internal clients are not able to access the web sites because (I believe) the dns is pointing them to the IP, but not the correct port. Nslookup shows that internal clients are properly seeing the correct ip address for the fqdn. Any suggestions?
I am trying to implement Split DNS, but my problem is as follows. I have web sites hosted ON the ISA 2004 server. These sites are on a port different from 80 (they use 9999) and rely on host headers. When I implement the split dns, internal clients are not able to access the web sites because (I believe) the dns is pointing them to the IP, but not the correct port. Nslookup shows that internal clients are properly seeing the correct ip address for the fqdn. Any suggestions?
Even though you should never host Web sites on a firewall (violates every security principle you can imagine, and then more than you can image), a split DNS will work. But it creates more issues (what would you expect) than if you configured a secure infrastructure.
FWIW, I re-read your article on disabling socketpooling and decided to try using port 80 on the internal IP web sites anyway (I was previously using 9999 so as not to conflict with the external web listener). I did this as you indicated in the article that the "httpcfg set iplisten" would bind the driver to the IP without the need to specify ports. As it happens, it fixed the problem and seems to work perfectly. So thank indirectly for the help!
We hope to move our web site to different internal boxes in the near future...
- We have only ONE public is adress. - We do not have ( And will not have ) a public Zone / DMZ - We use an illegal Tol-level Domain, not only that but we use the mydomain.local internally. I know that you are against this, but I inherit this and now I have to live with it. J
I have been reading most of your great and most enlightening articles & tutorials, all so in your book all refer to scenarios with a public dns server witch we don’t have.
I understand ( Or at least I think I do ) the process to set up a split-dns if you have a internal and external side but I’m stuck because I don’t have an external side.
- So is it possible to implement a split-dns with my infrastructure? - If so can you tell me how to go about that, since I don’t have an outside dns server with an external ip address pointing to the exchange/www/ftp server, I just don’t know out to go around this.
Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.
Could you please give a short example on setting this up? I'm in the process of setting up a SBS and I'm trying to decide how to setup the Active Directory domain name, etc. I'd really like to try to get it setup this way if possible. Could I make the active directory name domain.com or would the server's active directory name need to be office.domain.com? Then what would I need to setup on the internal server and on the public DNS server? (i.e. how do I go about setting up the office.domain.com entries)
< Message edited by altmantcunix -- 2.May2006 3:38:17 AM >
Love the article. But I have a slightly different setup than what you've used. I am currently using the firewall that is provided by SBS 2003, instead of ISA. Given this setup and following the instructions on setting up the split-dns, I am only able to view the default page on the SBS server default website. The website that I am trying to access from the internet sits on a seperate Win 2003 server on the intranet, with the internal dns pointing to it with an A record.
I've opened up the firewall to allow access to the whole web site, but it still returns the default page. I can view the website on the intranet. Please let me know what I need to do to resolve this issue. I have a firewall router interfacing with the internet and the SBS server sits behind it.
Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.
Could you please give a short example on setting this up? I'm in the process of setting up a SBS and I'm trying to decide how to setup the Active Directory domain name, etc. I'd really like to try to get it setup this way if possible. Could I make the active directory name domain.com or would the server's active directory name need to be office.domain.com? Then what would I need to setup on the internal server and on the public DNS server? (i.e. how do I go about setting up the office.domain.com entries)
Hi Pietje,
I'm not quite sure what the problem is. The article should have a lot of examples on how to do this. Are you looking for a step by step on how to configure internal and external zones?
Love the article. But I have a slightly different setup than what you've used. I am currently using the firewall that is provided by SBS 2003, instead of ISA. Given this setup and following the instructions on setting up the split-dns, I am only able to view the default page on the SBS server default website. The website that I am trying to access from the internet sits on a seperate Win 2003 server on the intranet, with the internal dns pointing to it with an A record.
I've opened up the firewall to allow access to the whole web site, but it still returns the default page. I can view the website on the intranet. Please let me know what I need to do to resolve this issue. I have a firewall router interfacing with the internet and the SBS server sits behind it.
Rahul.
Hi Rahul, That's why you would benefit from a stateful packet and application layer inspection firewall like ISA. You could do this with an ISA firewall in front of your network.
I've followed your instruction to create two rules to publish my public DNS Servers, howerver, when I try to do a nslookup for my domain I got the private IP address of my public DNS Servers. Is there anyway that I can hide the private IP address on my public DNS Servers and map it to a public IP address instead? Thanks