|
Posted by Lanwench [MVP - Exchange] on October 6, 2007, 11:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Thanks for the reply. I took your advice and posted another message
> in the DNS forum.
Cool.
>
> We definately want our ISP to do as little as possible so we can
> maintain control over as much as possible.
But an ISP isn't the best choice for DNS hosting anyway, generally speaking.
Find a decent hosting company who specializes in doing this sort of thing
and will give you easy management via your own secured control panel.
>
> I am using private IPs for my internal network and will utilize a
> second router with NAT overload and access lists to better protect my
> internal network. My internal DNS servers will use an internal name
> space and my external DNS server will use a totally separate DNS name
> space without active directory.
Again, what you describe indicates you don't have sufficient infrastructure
to do what you wish properly. You need two separate nameservers, and
ideally, they won't even be on the same IP subnet. In fact, using a Windows
box for this is expensive overkill.
You shouldn't use them for anything else - leave your mail relay on another
box, and don't install IIS.
Sorry to sound like the voice of doom, this is the sort of thing that often
seems like a really good idea at the time, but isn't. I'm sure someone in
the DNS group can give you a more exhaustive list of things that can go
wrong than I can.
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>>> Hi,
>>>
>>> I purchased static IP address and cablemodem service and need to
>>> install an external DNS server
>>
>> Do you mean you want to host your domains' public DNS in-house? With
>> a cable modem?
>>
>> This is a very bad idea. You need two separate nameservers to do
>> this, and they shouldn't even be on the same IP subnet.
>>
>> Nor should any of this touch your LAN at all. Your AD must be kept
>> entirely separated and protected.
>>
>> I strongly suggest you rethink this.....it's something best left to
>> an outside service provider who has a datacenter full of powerful
>> redundant everything.
>>
>>> and an SMTP relay service for an
>>> internal email server.
>>
>> Even if you decide to host your public DNS like this, I wouldn't
>> recommend that you put this service on the same box.
>>
>>
>>> I would like to use Windows 2003 server and
>>> turn on the firewall/ICS that comes with sp2.
>>
>> The Windows firewall would not be sufficient for this purpose
>> anyway. Sorry to be a wet blanket, but I think you're asking for a
>> heap o trouble by trying to do this yourself.
>>
>> Post in microsoft.public.windows.server.dns for more expert help,
>> but I suspect you'll be told the same thing by others in there.
>>
>>
>>
>>> I looked up
>>> information on Technet for securing 2003 and DNS and didn't find any
>>> really good documents. What I did find was general information on
>>> Windows firewall/ICS and the general best practices for DNS I have
>>> listed below. Does anyone have any recommendations they can
>>> provide? Thanks.
>>>
>>> 1) Protect the DNS infrastructure of your organization by utilizing
>>> an internal root and name space.
>>> 2) Only the external DNS server is configured with Internet root
>>> hints. 3) All internal DNS servers are configured only with the root
>>> hints pointing to the internal DNS servers hosting the root zone for
>>> your internal name space.
>>> 4) All DNS servers run on domain controllers with all DNS zones
>>> stored in Active Directory. Active Directory DACLs are utilized to
>>> secure administration of DNS. All DNS servers are configured with
>>> NTFS as the file system.
>>> 5) External DNS resolution is only performed by your external DNS
>>> server. The internal DNS servers point to the external DNS server.
>>> 6) Internal DNS servers are configured to only permit zone transfers
>>> to specific internal DNS servers.
>>> 7) The default setting of cache pollution prevention is enabled.
>>> 8) UDP/TCP port 53 is only open between one of your internal DNS
>>> servers and only your external DNS server through a firewall in your
>>> DMZ. 9) Only secure dynamic DNS updates are allowed for all zones
>>> except for the top-level and root zones, which do not allow dynamic
>>> updates at all. 10) All Internet name resolution is performed using
>>> proxy servers and gateways.
>>> 11) Utilize Windows Firewall and create exceptions only for DNS
>>> ports TCP and UDP port 53.
| 
XML site map