Help - External DNS & SMTP relay

[rileymartin]

Hi,

I purchased static IP address and cablemodem service and need to install
an external DNS server and an SMTP relay service for an internal email
server. I would like to use Windows 2003 server and turn on the firewall/ICS
that comes with sp2. I looked up information on Technet for securing 2003
and DNS and didn't find any really good documents. What I did find was
general information on Windows firewall/ICS and the general best practices
for DNS I have listed below. Does anyone have any recommendations they can
provide? Thanks.

1) Protect the DNS infrastructure of your organization by utilizing an
internal root and name space.
2) Only the external DNS server is configured with Internet root hints.
3) All internal DNS servers are configured only with the root hints pointing
to the internal DNS servers hosting the root zone for your internal name
space.
4) All DNS servers run on domain controllers with all DNS zones stored in
Active Directory. Active Directory DACLs are utilized to secure
administration of DNS. All DNS servers are configured with NTFS as the file
system.
5) External DNS resolution is only performed by your external DNS server.
The internal DNS servers point to the external DNS server.
6) Internal DNS servers are configured to only permit zone transfers to
specific internal DNS servers.
7) The default setting of cache pollution prevention is enabled.
8) UDP/TCP port 53 is only open between one of your internal DNS servers and
only your external DNS server through a firewall in your DMZ.
9) Only secure dynamic DNS updates are allowed for all zones except for the
top-level and root zones, which do not allow dynamic updates at all.
10) All Internet name resolution is performed using proxy servers and
gateways.
11) Utilize Windows Firewall and create exceptions only for DNS ports TCP
and UDP port 53.

 

[Lanwench [MVP - Exchange]]

rileymartin <rileymartin@discussions.microsoft.com> wrote:
> Hi,
>
> I purchased static IP address and cablemodem service and need to
> install an external DNS server

Do you mean you want to host your domains' public DNS in-house? With a cable
modem?

This is a very bad idea. You need two separate nameservers to do this, and
they shouldn't even be on the same IP subnet.

Nor should any of this touch your LAN at all. Your AD must be kept entirely
separated and protected.

I strongly suggest you rethink this.....it's something best left to an
outside service provider who has a datacenter full of powerful redundant
everything.

> and an SMTP relay service for an
> internal email server.

Even if you decide to host your public DNS like this, I wouldn't recommend
that you put this service on the same box.


> I would like to use Windows 2003 server and
> turn on the firewall/ICS that comes with sp2.

The Windows firewall would not be sufficient for this purpose anyway. Sorry
to be a wet blanket, but I think you're asking for a heap o trouble by
trying to do this yourself.

Post in microsoft.public.windows.server.dns for more expert help, but I
suspect you'll be told the same thing by others in there.



> I looked up
> information on Technet for securing 2003 and DNS and didn't find any
> really good documents. What I did find was general information on
> Windows firewall/ICS and the general best practices for DNS I have
> listed below. Does anyone have any recommendations they can provide?
> Thanks.
>
> 1) Protect the DNS infrastructure of your organization by utilizing an
> internal root and name space.
> 2) Only the external DNS server is configured with Internet root
> hints. 3) All internal DNS servers are configured only with the root
> hints pointing to the internal DNS servers hosting the root zone for
> your internal name space.
> 4) All DNS servers run on domain controllers with all DNS zones
> stored in Active Directory. Active Directory DACLs are utilized to
> secure administration of DNS. All DNS servers are configured with
> NTFS as the file system.
> 5) External DNS resolution is only performed by your external DNS
> server. The internal DNS servers point to the external DNS server.
> 6) Internal DNS servers are configured to only permit zone transfers
> to specific internal DNS servers.
> 7) The default setting of cache pollution prevention is enabled.
> 8) UDP/TCP port 53 is only open between one of your internal DNS
> servers and only your external DNS server through a firewall in your
> DMZ. 9) Only secure dynamic DNS updates are allowed for all zones
> except for the top-level and root zones, which do not allow dynamic
> updates at all. 10) All Internet name resolution is performed using
> proxy servers and gateways.
> 11) Utilize Windows Firewall and create exceptions only for DNS ports
> TCP and UDP port 53.

 

[rileymartin]

Thanks for the reply. I took your advice and posted another message in the
DNS forum.

We definately want our ISP to do as little as possible so we can maintain
control over as much as possible.

I am using private IPs for my internal network and will utilize a second
router with NAT overload and access lists to better protect my internal
network. My internal DNS servers will use an internal name space and my
external DNS server will use a totally separate DNS name space without active
directory.



"Lanwench [MVP - Exchange]" wrote:

> rileymartin <rileymartin@discussions.microsoft.com> wrote:
> > Hi,
> >
> > I purchased static IP address and cablemodem service and need to
> > install an external DNS server
>
> Do you mean you want to host your domains' public DNS in-house? With a cable
> modem?
>
> This is a very bad idea. You need two separate nameservers to do this, and
> they shouldn't even be on the same IP subnet.
>
> Nor should any of this touch your LAN at all. Your AD must be kept entirely
> separated and protected.
>
> I strongly suggest you rethink this.....it's something best left to an
> outside service provider who has a datacenter full of powerful redundant
> everything.
>
> > and an SMTP relay service for an
> > internal email server.
>
> Even if you decide to host your public DNS like this, I wouldn't recommend
> that you put this service on the same box.
>
>
> > I would like to use Windows 2003 server and
> > turn on the firewall/ICS that comes with sp2.
>
> The Windows firewall would not be sufficient for this purpose anyway. Sorry
> to be a wet blanket, but I think you're asking for a heap o trouble by
> trying to do this yourself.
>
> Post in microsoft.public.windows.server.dns for more expert help, but I
> suspect you'll be told the same thing by others in there.
>
>
>
> > I looked up
> > information on Technet for securing 2003 and DNS and didn't find any
> > really good documents. What I did find was general information on
> > Windows firewall/ICS and the general best practices for DNS I have
> > listed below. Does anyone have any recommendations they can provide?
> > Thanks.
> >
> > 1) Protect the DNS infrastructure of your organization by utilizing an
> > internal root and name space.
> > 2) Only the external DNS server is configured with Internet root
> > hints. 3) All internal DNS servers are configured only with the root
> > hints pointing to the internal DNS servers hosting the root zone for
> > your internal name space.
> > 4) All DNS servers run on domain controllers with all DNS zones
> > stored in Active Directory. Active Directory DACLs are utilized to
> > secure administration of DNS. All DNS servers are configured with
> > NTFS as the file system.
> > 5) External DNS resolution is only performed by your external DNS
> > server. The internal DNS servers point to the external DNS server.
> > 6) Internal DNS servers are configured to only permit zone transfers
> > to specific internal DNS servers.
> > 7) The default setting of cache pollution prevention is enabled.
> > 8) UDP/TCP port 53 is only open between one of your internal DNS
> > servers and only your external DNS server through a firewall in your
> > DMZ. 9) Only secure dynamic DNS updates are allowed for all zones
> > except for the top-level and root zones, which do not allow dynamic
> > updates at all. 10) All Internet name resolution is performed using
> > proxy servers and gateways.
> > 11) Utilize Windows Firewall and create exceptions only for DNS ports
> > TCP and UDP port 53.
>
>
>
>

 

[S. Pidgorny]

G'day:

"rileymartin" <rileymartin@discussions.microsoft.com> wrote in message
news:9C3982FA-7C01-4C88-8A48-35082457958E@microsoft.com...

> We definately want our ISP to do as little as possible so we can maintain
> control over as much as possible.

Get externals DNS and mail relay service.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Lanwench [MVP - Exchange]]

rileymartin <rileymartin@discussions.microsoft.com> wrote:
> Thanks for the reply. I took your advice and posted another message
> in the DNS forum.

Cool.

>
> We definately want our ISP to do as little as possible so we can
> maintain control over as much as possible.

But an ISP isn't the best choice for DNS hosting anyway, generally speaking.
Find a decent hosting company who specializes in doing this sort of thing
and will give you easy management via your own secured control panel.

>
> I am using private IPs for my internal network and will utilize a
> second router with NAT overload and access lists to better protect my
> internal network. My internal DNS servers will use an internal name
> space and my external DNS server will use a totally separate DNS name
> space without active directory.

Again, what you describe indicates you don't have sufficient infrastructure
to do what you wish properly. You need two separate nameservers, and
ideally, they won't even be on the same IP subnet. In fact, using a Windows
box for this is expensive overkill.

You shouldn't use them for anything else - leave your mail relay on another
box, and don't install IIS.

Sorry to sound like the voice of doom, this is the sort of thing that often
seems like a really good idea at the time, but isn't. I'm sure someone in
the DNS group can give you a more exhaustive list of things that can go
wrong than I can.


>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> rileymartin <rileymartin@discussions.microsoft.com> wrote:
>>> Hi,
>>>
>>> I purchased static IP address and cablemodem service and need to
>>> install an external DNS server
>>
>> Do you mean you want to host your domains' public DNS in-house? With
>> a cable modem?
>>
>> This is a very bad idea. You need two separate nameservers to do
>> this, and they shouldn't even be on the same IP subnet.
>>
>> Nor should any of this touch your LAN at all. Your AD must be kept
>> entirely separated and protected.
>>
>> I strongly suggest you rethink this.....it's something best left to
>> an outside service provider who has a datacenter full of powerful
>> redundant everything.
>>
>>> and an SMTP relay service for an
>>> internal email server.
>>
>> Even if you decide to host your public DNS like this, I wouldn't
>> recommend that you put this service on the same box.
>>
>>
>>> I would like to use Windows 2003 server and
>>> turn on the firewall/ICS that comes with sp2.
>>
>> The Windows firewall would not be sufficient for this purpose
>> anyway. Sorry to be a wet blanket, but I think you're asking for a
>> heap o trouble by trying to do this yourself.
>>
>> Post in microsoft.public.windows.server.dns for more expert help,
>> but I suspect you'll be told the same thing by others in there.
>>
>>
>>
>>> I looked up
>>> information on Technet for securing 2003 and DNS and didn't find any
>>> really good documents. What I did find was general information on
>>> Windows firewall/ICS and the general best practices for DNS I have
>>> listed below. Does anyone have any recommendations they can
>>> provide? Thanks.
>>>
>>> 1) Protect the DNS infrastructure of your organization by utilizing
>>> an internal root and name space.
>>> 2) Only the external DNS server is configured with Internet root
>>> hints. 3) All internal DNS servers are configured only with the root
>>> hints pointing to the internal DNS servers hosting the root zone for
>>> your internal name space.
>>> 4) All DNS servers run on domain controllers with all DNS zones
>>> stored in Active Directory. Active Directory DACLs are utilized to
>>> secure administration of DNS. All DNS servers are configured with
>>> NTFS as the file system.
>>> 5) External DNS resolution is only performed by your external DNS
>>> server. The internal DNS servers point to the external DNS server.
>>> 6) Internal DNS servers are configured to only permit zone transfers
>>> to specific internal DNS servers.
>>> 7) The default setting of cache pollution prevention is enabled.
>>> 8) UDP/TCP port 53 is only open between one of your internal DNS
>>> servers and only your external DNS server through a firewall in your
>>> DMZ. 9) Only secure dynamic DNS updates are allowed for all zones
>>> except for the top-level and root zones, which do not allow dynamic
>>> updates at all. 10) All Internet name resolution is performed using
>>> proxy servers and gateways.
>>> 11) Utilize Windows Firewall and create exceptions only for DNS
>>> ports TCP and UDP port 53.

 

[Anteaus]

As is so often the case with IT, these recommendations apply to
mega-corporate users and have little relevance to even medium-sized
businesses.

Basically, you want to use a NAT router, and most such routers will provide
DNS forwarding to an ISP's DNS server. This is generally more convenient than
having to set the ISP's DNS addresses on each and every computer.

Some however do not do this reliably, and in that case it may be worthwhile
(on a site with more than just a handful of computers) to set-up a Windows
or Linux server to act as a DNS forwarder. In this case your internal DNS
server should not be made accessible form the internet, so the issues listed
do not in any case arise.

If you are using Active Directory logons you must have an internal DNS
server, anyway.

 

[S. Pidgorny]

Since this message is response to my email I need to stress the point:
external secondary DNS and mail relay are inexpensive services available for
masses, and most appropriate for businesses small and medium.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
news73A2CF1-00BF-4A05-BEFA-512012AB70B3@microsoft.com...
> As is so often the case with IT, these recommendations apply to
> mega-corporate users and have little relevance to even medium-sized
> businesses.
>
> Basically, you want to use a NAT router, and most such routers will
> provide
> DNS forwarding to an ISP's DNS server. This is generally more convenient
> than
> having to set the ISP's DNS addresses on each and every computer.
>
> Some however do not do this reliably, and in that case it may be
> worthwhile
> (on a site with more than just a handful of computers) to set-up a
> Windows
> or Linux server to act as a DNS forwarder. In this case your internal DNS
> server should not be made accessible form the internet, so the issues
> listed
> do not in any case arise.
>
> If you are using Active Directory logons you must have an internal DNS
> server, anyway.
>
>