Discussion about article on ISA firewalls protecting illegal TLDs (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


tshinder -> Discussion about article on ISA firewalls protecting illegal TLDs (31.May2005 8:28:00 AM)

This thread is for disucssing the article on ISA firewalls protecting illegal TLDs at:

http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

HTH,
Tom

[ May 31, 2005, 08:33 AM: Message edited by: tshinder ]




PietjePuck -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (5.Jun.2005 3:52:00 AM)

Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (5.Jun.2005 11:46:00 AM)

Hi PietjePuck,

Nice tip!

Thanks!
Tom




Guest -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (14.Jun.2005 4:46:00 PM)

Thanks for this article. In the example, the company had an already existing Active Directory domain called isaserver.local. But if you were starting from scratch and installing AD, is there any advantage to having isaserver.local? In other words, why not just do the split domain setup for isaexternal.com and you only have 1 AD domain also called isaexternal.com?




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (15.Jun.2005 6:42:00 AM)

Hi Anon,

Exactly. If you already have an existing domain, then do it right from the start and bag the .local, .lan, .whatever, and just do it right from the start.

Thanks!
Tom




ajheywood -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (22.Jun.2005 8:28:00 AM)

I have a quick question (I think) about the best way to implement split dns in our case.

Currently our domain name for internal use is mycompany.local and we also have registered with our isp mycompany.co.uk. The dns for mycompany.co.uk is hosted by our isp and I have through there web interface setup owa.mycompany.co.uk and a few others.

So if I want to have the internal clients access resources using the public name I create a zone on my local dns server for mycompany.co.uk but do I make it a stub zone or a primary zone as the zone will only ever be accessed by local users as it is not publicly available?




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (22.Jun.2005 10:22:00 AM)

Hi Andy,

Create the mycompany.uk.co domain on your own DNS server, and create the host records that internal users should use to access internal resoruces.

If there are resources on the mycompany.uk.co that are located at external locations, then enter host records mapping to those external locations.

HTH,
Tom




humorfox -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (2.Sep.2005 4:28:00 AM)

May I know if the split DNS may cause any DNS resolution issue on the ISA Server itself? See the following network diagram:

Internet - ISA - LAN

What is the recommendation to configure DNS Server for the ISA server? Should I configure the internal DNS server for both the internal NIC and the external NIC? Or should I configure the public DNS server on the external NIC and configure the internal DNS server on the internal NIC?

Thank you for your help.




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (2.Sep.2005 8:49:00 AM)

Hi Cameron,

The ISA firewall should use the Internal DNS server and the internal DNS server is authoritative (responsible) for the internal side (internal zone) of the split DNS.

The internal interface of the ISA firewall should be on the top of the interface list, and ONLY the internal interface should have a DNS server configured on it. The external interface should NOT have a DNS server configured on it, and NO interface of the ISA firewall should ever have an external DNS server configured on it.

HTH,
Tom




Guest -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (7.Sep.2005 8:12:00 PM)

I have a 2K SBS w\ ISA.

I have for months had the ISA running with the WAN interface being a modem, recently I moved to a broadband interface (via NIC#2).

Since then I have had the Server freeze multiple times requiring a reset, with no errors or logging.

The lockup only occurs when the interface is active (connected to the internet). When ISA is running along with everything else but the cable is disconnected no problem occurs.

I am assuming some type of DNS/Active Directory failure. Can a domain.com cause an issue with my domain.local simply by existing?

Thanks




djhuang -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (19.Sep.2005 5:00:00 AM)

Hello,

First, thanks for the great article you posted.It really helps a lot.
Second, I have a question about DNS configuration on the exchange server.
We have one exchange server acting as the primary mail server and providing
POP3, RPC/http, OWA services to clients and replicate mails with other
sites via the intranet.
This mail server is also responsible for delivering mails to the internet via
SMTP. I would like to ask how to setup the DNS for this exchange server.
If I choose the internal DNS, then there's no way to resolve the internet domain.
If I select the external DNS, the communication to GC/DC would be failed
(It would try to get ldap data from internet because domain name of the remote office
is resolved to a public one).
Same thing happens if I point the DNS to the internal interface of ISA server.

The exchange server is attached to the internal network (1 subnet only) as well as
the DC/DNS server. But the default gateway is directed to the internal interface of
the ISA server (for SMTP mail delivering). A static route to the interal network is added
to compensate the strange default gateway.

Any suggestions would be very appreciated.
Thank you.

djhuang




Anders -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (20.Sep.2005 11:33:00 AM)

Assuming that you are using Exchange 2000 or 2003 you can configure the SMTP protocol with an address of an external DNS Server. This way the Exchange Server will use the internal DNS for anything but sending mail to the Internet.
If you are using exchange 5.x (well, start upgrading) you can set up a smart host to get around the problem.




longman -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (20.Sep.2005 6:51:00 PM)

Another option is to configure a forwarder on your internal dns servers with the forwarder being the isa server.




tad_braun -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (12.Oct.2005 11:49:00 PM)

Hello,

I tried this tip, and it seemed to work fine. We could access webmail.ourdomain.com from internal and external just fine, including FBA. But then internal people started calling in and saying they could not get to our www.ourdomain.com website hosted at an ISP. The website used www.ourdomain.com, and since there were no records other than the webmail.ourdomain.com record in the local DNS zone for ourdomain.com, the web request bombed out. To fix this, is it as simple as adding a second A record pointing to www.ourdomain.com and the external IP address?




m25man -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (20.Nov.2005 8:18:17 PM)

Tom,

An interesting article which helps me understand my own problem a little better (I think).

One of my clients (a school) has an internal domain name and a different fqdn, however the internal domain name set up by a previous contractor is actually a legitamate TLD belonging to the previous contractor!!!!

So internally they are oldcontractorsdomainname.net and externally they are realschool.local-edauth.sch.uk

To add to the dilemma the local school broadband consortium allocate IP addresses and port forward from the internet. Outbound requests are restricted and must be chained to the broadband providers upstream proxy.

So the school has a single public IP which gets forwarded to the designated private IP Pool and on to the ISA 2004 WAN NIC (10.1.1.1)

The Internal network is 192.168.0.0

ISA 2004 was chosen for it's ability to publish multiple web servers behind a single ip which is fine and I have grasped the principles of this by testing from the 10.1.1.0 LAN (effectively a DMZ)

Here is my problem, which Im certain is DNS related and has so far proven to be difficult to fix, after reading your article several times I thought split DNS would solve the problem but so far it is still proving a hard one to crack.

Rules based upon the url incoming from the external clients should be re-directing them to the appropriate webdav server but instead ISA returns a refferal page from chained upstream proxy with the message server#.school.net is not resolved.

So I know that the clients are being forwarded by the Education Authority Firewall from the internet to the ISA (external) 10.x.x. NIC and it seems that ISA is working trying to do what it is programmed to do but is defeated by the internal dns that of course belives it is supposed to be elsewhere!

Am I expecting too much from ISA to handle this ugly scenario! Im now considering a Domain rename as a simpler solution.

Geoff




trw2006 -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (2.Feb.2006 11:21:07 AM)

now I understand the split dns.  TY       while implementing the instructions in this article i found some decrepancies that happened while i configed my sbs2003 server. 

When entering host A records for the internal side dns i noticed that checking the create pointer resulted in an error message stating i could not do it because i had no reverse lookup zone related to the new forward zone.  So I created them anyway w/o pointers. Is a rev zone needed here? Hmm I saw dozens of other posts elsewhere of stumped people too, not from ur article tho.

On the step where the new zone is created "forward" type was not mentioned but of course it was implied. Newbees like me need the all the details.  Thats not a biggy but not mentioning in the steps that under properties of the new zone, when created, "allow zone transfers" is checked by default and that could be bad as I read.  I only noticed it cuz i check over the properties on all this stuff and some folks arent so thorough.

4/5 stars on this and TY Tom for the great info.  I enjoy and appreciate all your articles.   TW




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (3.Feb.2006 12:53:39 PM)

quote:

ORIGINAL: Guest

I have a 2K SBS w\ ISA.

I have for months had the ISA running with the WAN interface being a modem, recently I moved to a broadband interface (via NIC#2).

Since then I have had the Server freeze multiple times requiring a reset, with no errors or logging.

The lockup only occurs when the interface is active (connected to the internet). When ISA is running along with everything else but the cable is disconnected no problem occurs.

I am assuming some type of DNS/Active Directory failure. Can a domain.com cause an issue with my domain.local simply by existing?

Thanks


Hi Guide,

Put a cheap broadband NAT device in front of the ISA firewall.

HTH,
Tom 




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (3.Feb.2006 12:55:29 PM)

quote:

ORIGINAL: djhuang

Hello,

First, thanks for the great article you posted.It really helps a lot.
Second, I have a question about DNS configuration on the exchange server.
We have one exchange server acting as the primary mail server and providing
POP3, RPC/http, OWA services to clients and replicate mails with other
sites via the intranet.
This mail server is also responsible for delivering mails to the internet via
SMTP. I would like to ask how to setup the DNS for this exchange server.
If I choose the internal DNS, then there's no way to resolve the internet domain.
If I select the external DNS, the communication to GC/DC would be failed
(It would try to get ldap data from internet because domain name of the remote office
is resolved to a public one).
Same thing happens if I point the DNS to the internal interface of ISA server.

The exchange server is attached to the internal network (1 subnet only) as well as
the DC/DNS server. But the default gateway is directed to the internal interface of
the ISA server (for SMTP mail delivering). A static route to the interal network is added
to compensate the strange default gateway.

Any suggestions would be very appreciated.
Thank you.

djhuang


Hi DJ,

You should use an internal DNS server is configured to resolve both internal and external names.

HTH,
Tom




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (3.Feb.2006 12:56:45 PM)

quote:

ORIGINAL: tad_braun

Hello,

I tried this tip, and it seemed to work fine. We could access webmail.ourdomain.com from internal and external just fine, including FBA. But then internal people started calling in and saying they could not get to our www.ourdomain.com website hosted at an ISP. The website used www.ourdomain.com, and since there were no records other than the webmail.ourdomain.com record in the local DNS zone for ourdomain.com, the web request bombed out. To fix this, is it as simple as adding a second A record pointing to www.ourdomain.com and the external IP address?


Hi Tad,

In that case you enter the appropriate IP addresses for the external resources, as mentioned in the article.

HTH,
Tom




tshinder -> RE: Discussion about article on ISA firewalls protecting illegal TLDs (3.Feb.2006 12:59:55 PM)

quote:

ORIGINAL: m25man

Tom,

An interesting article which helps me understand my own problem a little better (I think).

One of my clients (a school) has an internal domain name and a different fqdn, however the internal domain name set up by a previous contractor is actually a legitamate TLD belonging to the previous contractor!!!!

So internally they are oldcontractorsdomainname.net and externally they are realschool.local-edauth.sch.uk

To add to the dilemma the local school broadband consortium allocate IP addresses and port forward from the internet. Outbound requests are restricted and must be chained to the broadband providers upstream proxy.

So the school has a single public IP which gets forwarded to the designated private IP Pool and on to the ISA 2004 WAN NIC (10.1.1.1)

The Internal network is 192.168.0.0

ISA 2004 was chosen for it's ability to publish multiple web servers behind a single ip which is fine and I have grasped the principles of this by testing from the 10.1.1.0 LAN (effectively a DMZ)

Here is my problem, which Im certain is DNS related and has so far proven to be difficult to fix, after reading your article several times I thought split DNS would solve the problem but so far it is still proving a hard one to crack.

Rules based upon the url incoming from the external clients should be re-directing them to the appropriate webdav server but instead ISA returns a refferal page from chained upstream proxy with the message server#.school.net is not resolved.

So I know that the clients are being forwarded by the Education Authority Firewall from the internet to the ISA (external) 10.x.x. NIC and it seems that ISA is working trying to do what it is programmed to do but is defeated by the internal dns that of course belives it is supposed to be elsewhere!

Am I expecting too much from ISA to handle this ugly scenario! Im now considering a Domain rename as a simpler solution.

Geoff


Hi Geoff,

This scenario is a perfect example of the utility of a split DNS. Since your internal zone servers only internal clients, it doesn't matter who has registered your internal domain name, since your internal clients don't give a hoot about an external zone entries for that domain name, and that includes the ISA firewall, since it will resolve your internal domain name to internal addresss.

Thanks for pointing out a fantastic example of why split DNS rocks!

Thanks!
Tom




Page: [1] 2 3 4 5   next >   >>