Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: ObiWan [MVP] on 30 Dec 2009 03:40 > Yep, it may be better, since I don't want to have to mess with the IP > checking (in case they change) from time to time. > > I'll install DNS on the TS box this weekend, thanks. in such a case, ensure the DNS on the TS holds copies of the local domains, then set it up to forward all external queries to ODNS so that you'll have your filtering for the TS users and remove the ODNS forward from the SBS box so that you won't have NXDOMAIN/caching issues :)
From: ObiWan [MVP] on 30 Dec 2009 03:40 >> <<<SIGH>>> > :-) hehe... well, sounds like he changed his mind as soon as he realized that it would be a hell to mantain the forwarders list :D
From: ObiWan [MVP] on 30 Dec 2009 04:49 > in such a case, ensure the DNS on the TS holds copies of the local > domains, then set it up to forward all external queries to ODNS so > that you'll have your filtering for the TS users and remove the ODNS > forward from the SBS box so that you won't have NXDOMAIN/caching > issues :) let me better sum it up Install DNS on the TS box, ensure that the DNS is AD integrated Configure DNS to hold a copy of your local zones (AD...) Configure DNS to forward all queries to the OpenDNS resolvers Configure the TS box to use its own IP as the ONLY DNS server Remove the OpenDNS forwarding from the SBS box and refresh the root hints (just in case) Ensure the SBS is pointing to its own IP as the ONLY DNS server this way the SBS will carry on full recursive resolution using the root hints and avoiding the NXDOMAIN/cache issues with your email services, on the other hand, the TS box will allow users to correctly log on to the domain but will forward all external queries to the OpenDNS resolvers which will filter them as you desire
From: ObiWan [MVP] on 30 Dec 2009 05:53 >> exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS > No kidding. I didn't think of this scenario. So the rate limit could > be quickly reached and everyone is blaming ODNS for it. Yes... although ODNS still plays a role here, see, their aggressive use of caching and TTL overriding means that NXDOMAIN answers returned by the DNSBL due to the rate limiter kicking in, will be kept in cache for a quite long time causing hosts which should instead be BLOCKED by the blacklist to get through; worse, such a thing will affect ALL the systems using ODNS for resolution :P I've nothing against OpenDNS, they're offering a decent service and helping to protect against "bad sites" but that's all, I won't recommend using OpenDNS as a forwarder/resolver when it comes to a server system or a business network for the reasons seen in this thread and ... for some others as well :)
From: Leythos on 30 Dec 2009 08:59
In article <Ox68tuSiKHA.5604(a)TK2MSFTNGP04.phx.gbl>, obiwan(a)mvps.org says... > > > Yep, it may be better, since I don't want to have to mess with the IP > > checking (in case they change) from time to time. > > > > I'll install DNS on the TS box this weekend, thanks. > > in such a case, ensure the DNS on the TS holds copies of the local > domains, then set it up to forward all external queries to ODNS so that > you'll have your filtering for the TS users and remove the ODNS forward > from the SBS box so that you won't have NXDOMAIN/caching issues :) Thanks - I'm aware of DNS replication, just never thought about the OpenDNS issue with RBL's. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address) |