Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: ObiWan [MVP] on 29 Dec 2009 08:43 > Some of the only reasons I would see using a forwarder, which I > configure my customers for, is to offload the recursion process, or to > bypass a firewall that doesn't support EDNS0 or that an admin is > unaware of how to update the firewall to allow that type of traffic. Ace... DNS resolution process, under standard conditions isn't a resource pig at all, and in such a case, the "DNS tree" approach is the way to go, about EDNS0, I personally found that, disabling it won't have ANY negative effect and will, in general, solve a whole lot of resolution issues; just in case... http://support.microsoft.com/kb/828731 then btw one will need (not referring to you, but more often than not people forgets about it) to ensure that DNS queries won't be filtered and this means allowing traffic from "any port" to port 53/upd and to port 53/tcp of whatever external machine
From: ObiWan [MVP] on 29 Dec 2009 08:47 > I was thinking on how to respond to this one yesterday. I think your > option #1 is the better solution. > > IMHO, I wouldn't use ODNS and simply use the IMF for Exchange, and use > a firewall that supports Websense or use ISA. or even use this one ;-) http://pgl.yoyo.org/adservers/ Pete is a good friend (and answers to emails ;-D) and once you get a grip on how the DNS blocking idea works (notice - that isn't just another "hosts" file, try looking at the "MS DNS" format or at the ISA one ;-D) it will be easy to setup your own, personal filter to fit your needs ;-) !
From: Leythos on 29 Dec 2009 09:41 In article <#RPzd7GiKHA.4220(a)TK2MSFTNGP05.phx.gbl>, obiwan(a)mvps.org says... > > > We block all DNS queries from all nodes except the DNS server - > > that would be the SBS box itself. > > good setup, ensure to do the same for SMTP too :) > > > Interesting question - SBS and a separate Terminal Server using Open > > DNS for web site filtering. > > uhm... let me understand, you have two servers, one is running sbs > and has its own DNS server w/o any forwarder, another one is used > as a TS and its network settings are configured so that the DNS IPs > point to OpenDNS ? That's totally crazy imHo :( it would badly screw > the AD No, you don't understand this: 1) SBS has forwarders for OpenDNS 2) Terminal server has DNS pointing to SBS DNS We use this to limit what the terminal server users can browse and access on the web. > > > Since the forwarders have to use ODNS's DNS servers, how would > > you have SBS not be seen as originating from ODNS when doing > > RBL checks while still using ODNS for web blocking? > > you have TWO solutions > > the first one (which I prefer) is to setup a DNS server on the TS, > ensure the TS DNS has a copy of the local AD zones and then > configure it to use ODNS forwarder, next setup the TS machine > to use its own IP as the DNS; this way the SBS box won't be > using OpenDNS while the TS will > > the second one is... pointing both SBS and TS to the SBS DNS > then configuring conditional forwarding on the SBS DNS so that > queries directed to the DNSBL in use will go straight to the auth > servers for those domains while all other queries will be forwarded > to the OpenDNS servers > > in spamhaus case, the DNS can be obtained by running > > nslookup -type=NS spamhaus.org > > the same goes for the DNS for all the other DNSBL zones you > are using in IMF but, again, I'd prefer the first solution since this > one would force you to keep your DNS up-to-date whenever > you'll change the DNSBLs you use Thanks - I had not thought about conditional forwarding, I will look into that. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: ObiWan [MVP] on 29 Dec 2009 09:47 > Thanks - I had not thought about conditional forwarding, I will look > into that. <<<SIGH>>>
From: Leythos on 29 Dec 2009 09:44
In article <eFLATSIiKHA.5380(a)TK2MSFTNGP06.phx.gbl>, aceman(a)mvps.RemoveThisPart.org says... > I was thinking on how to respond to this one yesterday. I think your option > #1 is the better solution. > > IMHO, I wouldn't use ODNS and simply use the IMF for Exchange, and use a > firewall that supports Websense or use ISA. > The issue for this solution, for using OpenDNS, is web-blocking, we use IMF and Zen for spam filtering on this very small client - they have a firewall appliance, but they don't have the Web/Spam service on it. If we let them have unrestricted access to the web, the generic users would be everywhere instead of working - and all of their team is remote from the servers (they co-locate).... I'll look at conditional forwarding and see if I can get that working tonight. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address) |