Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: ObiWan [MVP] on 29 Dec 2009 12:18 > I'll look at conditional forwarding and see if I can get that working > tonight. that's quite straightforward; first of all, you'll need to obtain a list of all the DNSBLs which are used by the IMF, let's say they are zen.spamhaus.org ix.dnsbl.manitu.net bl.spamcop.net dul.dnsbl.sorbs.net bb.barracudacentral.org combined.njabl.org bogons.cymru.com drone.abuse.ch httpbl.abuse.ch virbl.dnsbl.bit.nl next you'll need to retrieve the authoritative DNS servers for each zone, for example, willing to retrieve the auth DNS for the zen.spamhaus.org zone you'll need to run nslookup -type=NS zen.spamhaus.org the above command will return a list of DNS names like zen.spamhaus.org nameserver = 1.ns.spamhaus.org zen.spamhaus.org nameserver = k.ns.spamhaus.org zen.spamhaus.org nameserver = r.ns.spamhaus.org zen.spamhaus.org nameserver = d.ns.spamhaus.org zen.spamhaus.org nameserver = h.ns.spamhaus.org zen.spamhaus.org nameserver = l.ns.spamhaus.org .... and so on ... at this point you'll have to retrieve the IPs for *all* those servers and make a note about them, then you'll have to setup a conditional forward in your DNS so that all queries directed to the "zen.spamhaus.org" domain will be forwarded to the servers IPs you obtained above repeat the same for all the other DNSBL zones and you'll have your conditional forward up and running, but remember that auth DNS IPs may change from time to time and that you'll have to keep your forwarding setup updated to reflect the DNSBLs you'll be using in IMF I'm *still* convinced that installing a DNS instance on the TS machine would be a better and more straightforward solution
From: Leythos on 29 Dec 2009 17:28 In article <ur#Y0rKiKHA.5520(a)TK2MSFTNGP06.phx.gbl>, obiwan(a)mvps.org says... > > > I'll look at conditional forwarding and see if I can get that working > > tonight. > > that's quite straightforward; first of all, you'll need to obtain a list > of all the DNSBLs which are used by the IMF, let's say they are > > zen.spamhaus.org > ix.dnsbl.manitu.net > bl.spamcop.net > dul.dnsbl.sorbs.net > bb.barracudacentral.org > combined.njabl.org > bogons.cymru.com > drone.abuse.ch > httpbl.abuse.ch > virbl.dnsbl.bit.nl > > next you'll need to retrieve the authoritative DNS servers > for each zone, for example, willing to retrieve the auth DNS > for the zen.spamhaus.org zone you'll need to run > > nslookup -type=NS zen.spamhaus.org > > the above command will return a list of DNS names like > > zen.spamhaus.org nameserver = 1.ns.spamhaus.org > zen.spamhaus.org nameserver = k.ns.spamhaus.org > zen.spamhaus.org nameserver = r.ns.spamhaus.org > zen.spamhaus.org nameserver = d.ns.spamhaus.org > zen.spamhaus.org nameserver = h.ns.spamhaus.org > zen.spamhaus.org nameserver = l.ns.spamhaus.org > ... and so on ... > > at this point you'll have to retrieve the IPs for *all* those > servers and make a note about them, then you'll have > to setup a conditional forward in your DNS so that all > queries directed to the "zen.spamhaus.org" domain > will be forwarded to the servers IPs you obtained above > > repeat the same for all the other DNSBL zones and you'll > have your conditional forward up and running, but remember > that auth DNS IPs may change from time to time and that > you'll have to keep your forwarding setup updated to reflect > the DNSBLs you'll be using in IMF > > I'm *still* convinced that installing a DNS instance on the TS > machine would be a better and more straightforward solution Yep, it may be better, since I don't want to have to mess with the IP checking (in case they change) from time to time. I'll install DNS on the TS box this weekend, thanks. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: Ace Fekay [MCT] on 29 Dec 2009 21:13 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:ueqK3zIiKHA.4912(a)TK2MSFTNGP02.phx.gbl... >> Some of the only reasons I would see using a forwarder, which I >> configure my customers for, is to offload the recursion process, or to >> bypass a firewall that doesn't support EDNS0 or that an admin is >> unaware of how to update the firewall to allow that type of traffic. > > Ace... DNS resolution process, under standard conditions isn't > a resource pig at all, and in such a case, the "DNS tree" approach > is the way to go, about EDNS0, I personally found that, disabling it > won't have ANY negative effect and will, in general, solve a whole > lot of resolution issues; just in case... > > http://support.microsoft.com/kb/828731 > > then btw one will need (not referring to you, but more often than not > people forgets about it) to ensure that DNS queries won't be filtered > and this means allowing traffic from "any port" to port 53/upd and to > port 53/tcp of whatever external machine > > > True, it's not a resource hog at all, especially for small infrastructures. For larger ones, I would rather install a separate DNS server that is not part of the domain/infrstructure internally to forward to. I normally don't disable EDNS0, rather update or configure the firewall to allow it (such as a PIX or ASA). I try to simplify internal configs by not changing too much from default settings. It's easy for me when I'm trying to juggle multiple customers in my head and their configs. It's enough I have to remember each customer's IP range! LOL I agree about the filtering. Some are not aware of that. Source: internal-interface any-any destination external-interface any TCP 53 (something like that!). Ace
From: Ace Fekay [MCT] on 29 Dec 2009 21:21 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:O1MzJ2IiKHA.1540(a)TK2MSFTNGP06.phx.gbl... >> I was thinking on how to respond to this one yesterday. I think your >> option #1 is the better solution. >> >> IMHO, I wouldn't use ODNS and simply use the IMF for Exchange, and use >> a firewall that supports Websense or use ISA. > > or even use this one ;-) > > http://pgl.yoyo.org/adservers/ > > Pete is a good friend (and answers to emails ;-D) > and once you get a grip on how the DNS blocking > idea works (notice - that isn't just another "hosts" > file, try looking at the "MS DNS" format or at the > ISA one ;-D) it will be easy to setup your own, > personal filter to fit your needs ;-) ! > > > I didn;t know this site exists. I lile the DNS method. Each registry entry is an ad zone. Interesting. This can also be modified to block instant messaging sub domains, sucha s that AIM, YIM, etc, use. Thanks for the heads up! I added this to my notes. Thanks! Ace
From: Ace Fekay [MCT] on 29 Dec 2009 21:26
"ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:efEOPXJiKHA.2132(a)TK2MSFTNGP05.phx.gbl... >> Thanks - I had not thought about conditional forwarding, I will look >> into that. > > <<<SIGH>>> > > :-) |