Re: DNS setup recomendations using my isp as the secondary server.

From: sharad (sharadnaik_at_nospam-vsnl.net)
Date: 02/08/04

• Next message: Manny Rodrigues: "Re: Having A Difficult Time Getting DNS To Work."
• Previous message: sharad: "Re: Having A Difficult Time Getting DNS To Work."
• In reply to: Ben Dewey: "Re: DNS setup recomendations using my isp as the secondary server."
• Next in thread: Roger Abell: "Re: DNS setup recomendations using my isp as the secondary server."
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 9 Feb 2004 01:41:52 +0530

No added security, as long as they all point to the same box. Some people
still use multiple IPs on
a single box for hosting multiple web servers on the same box, make each web
server, listen to
different IP and still use same default port 80 on all, so that one need not
do port forwading / IIS header
forwarding. But even in such case, it is recommended only when you have a
dedicated box just to
host all those websites.
The reason is that, most hackers try flooding requests on your server, so
that it will reach a state
where 'Denial of Serverice' can not be handled by the server because of the
overload.
Having multiple IPs on the same box, will make their task easiers, since
they can attack
on all IP addresses at the same time, making it easier to get the server in
'not able to
Deny a Service'.

Sharad

"Ben Dewey" <bdewey01@hotmail.com> wrote in message
news:a708280.0402080712.32f424d6@posting.google.com...
> So there is really no added security advantage to setting up multiple
> ips pointing to the same server?
>
>
> "sharad" <sharad@anonymous.com> wrote in message
news:<e5YvE6f7DHA.1636@TK2MSFTNGP12.phx.gbl>...
> > I think what Roger meant is that, when you set up the
> > DNS zone on the ISP's DNS, there point it to your
> > router IP address (and not that in your local DNS server).
> > This is how it should normally be done, when one's
> > network is behind a router, if it is third party router
> > you set up the port forwarding in that third party router.
> >
> > If you do not have thrid party router, then you are
> > setting up NAT, so that box is your (Microsoft) router,
> > so point the DNS Zone hosted by ISP to the NAT
> > server's public IP.
> >
> > In case you have a third party router, which does not
> > support port forwarding, you will have to assing a public
> > IP to the NAT server (from static pull set up in the
> > router) and point DNS zone hosted by ISP to your NAT server
> > public IP.
> >
> > You say you have 24 public IPs, this most probaly means
> > you have static pull range from your ISP, so these IPs
> > are not dynamically assigned to you and you can treat them
> > as static IPs.
> >
> > It seems you have only one server and are planing to host your
> > web site and mail server etc. on the same box.
> > Hence it is not recommended to assign more than one
> > public IP to the server, since all the IP's are from the
> > same ISP, through a single connection, so if the line goes
> > down you can't use any one of those 24 IPs. So you don't
> > gain anything by assigning multiple public IPs to the server.
> > It will only make your setup and maintenance complicated,
> > too many records on the ISP's DNS zone, also NAT setting
> > will become complicated and you may even land up in problems
> > now and then.
> >
> > Sharad
> >
> > "Ben Dewey" <bdewey01@hotmail.com> wrote in message
> > news:a708280.0402071906.4cb98ce8@posting.google.com...
> > > I have a static IP, its a t1, I also have 24 public ips, so this
> > > information on dynamic ips if not really applicable. I will take you
> > > advise with using the isp as the dns provider, but I don't understand
> > > why I would want to point by dns to the ip of my router.
> > >
> > > I have extra ips an I was hoping to use different ips on different
> > > ports one ip just locked for www on port 80 and one just locked for
> > > mail on port 110. I can static route all these ips to the same
> > > private ip. Is this doable? or recommended?
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:<#H1EWdZ7DHA.1040@TK2MSFTNGP10.phx.gbl>...
> > > > Your better bet may be letting your DNS zone reside on an
> > > > outside provider, use the public IP of your router as the IP
> > > > for the entries in your DNS zone, and if your provider uses
> > > > DHCP then either negotiate static IP(s) with them or look into
> > > > use of one of the dyn DNS oriented DNS providers (with these
> > > > you can make dynamic changes to your zone if/as the assigned
> > > > IPs from the ISP change)
> > > >
> > > > Notice that this not just puts the DNS load from the public
somewhere
> > > > else, and keeps your DNS private to your network, but also something
> > > > like this is need anyway if your ISP provided DHCP IPs to you. When
> > > > the IP is changed no one would find your DNS server if you hosted
it,
> > > > and you would have to get the delegation to your DNS server updated.
> > > >
> > > > If you are interested in the dyn DNS providers, you could google on
> > > > the matter and will find may posts that have mentioned different
> > providers
> > > > of this.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Server System: Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Ben Dewey" <bdewey01@hotmail.com> wrote in message
> > > > news:a708280.0402070703.cfcc17f@posting.google.com...
> > > > > To answers your questions. I have a firewall and nat running on
my
> > > > > router which is 192.168.1.1. This takes care of all my private
ips
> > > > > going out and maps the one public ip in to the .1.2 address. I
have
> > > > > my dns registered with namesecure.
> > > > >
> > > > > Basically just to follow up. The best way to do this is to use my
ISP
> > > > > as the primary and secondary dns and not to use dns on my side at
all.
> > > > > I will keep nat the same on my router and point the public ip
address
> > > > > to my .1.2 address. Is this correct?
> > > > >
> > > > > Now if I do it this way and I want to create a CNAME record, as an
> > > > > alias that point to the same server and are used for iis, would I
have
> > > > > to go though my isp everytime I wanted to make a change to the
zone
> > > > > file?
> > > > >
> > > > > Is there any way to maintain control of my dns in my situation
since I
> > > > > only have one server and one domain name?
> > > > >
> > > > > Keep in mind that I want to maintain security and follow the best
> > > > > practices whenever possible. Even if it can be done I want to
know if
> > > > > it should be.
> > > > >
> > > > >
> > > > >
> > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:<u2Ys49U7DHA.1428@TK2MSFTNGP12.phx.gbl>...
> > > > > > most simple to inline comments . . .
> > > > > >
> > > > > > "Ben Dewey" <bdewey01@hotmail.com> wrote in message
> > > > > > news:a708280.0402061918.3e6df9eb@posting.google.com...
> > > > > > > Hey all,
> > > > > > >
> > > > > > > I have a couple of questions about best practices for how to
set
> > up my
> > > > > > > dns. I currently have a T1 with one windows 2003 sbs server.
I
> > am
> > > > > > > trying to set up the dns using my server as the primary dns
and my
> > isp
> > > > > > > as the secondary.
> > > > > > >
> > > > > >
> > > > > > With only one DNS server you will have to hold both your
> > > > > > AD supporting internal DNS zone and the primary of your
> > > > > > public DNS zone in the same server, and with Windows DNS
> > > > > > this means that the public would be able to query against both.
> > > > > > This is usually avoided.
> > > > > >
> > > > > >
> > > > > > > I am currently using a 192.168.0.0 scheme for my private
network
> > and
> > > > > > > have set the server up as .1.2. I was hoping to use nat to
route
> > a
> > > > > > > public IP address to the .1.2 address.
> > > > > > >
> > > > > >
> > > > > > Well, sure, this is often done - just not for DNS if only one
> > Windows
> > > > > > DNS server. If you mean use NAT in your router, then SBS out of
> > > > > > the box is wanting to do this so that you can get to the public
web,
> > > > > > the remote desktop interface, etc.. If you mean NAT on the DC,
that
> > > > > > is done so that you could route to a machine within the internal
> > network,
> > > > > > like a second DNS service somewhere that holds the primary for
your
> > > > > > public DNS zone.
> > > > > >
> > > > > > > My question is:
> > > > > > > Is it possible to set up the dns server on the same server
that
> > the
> > > > > > > domain will be pointing to? (ex. ns1.mydomain.com has the
> > definition
> > > > > > > for mydomain.com)
> > > > > > >
> > > > > > above. possible but not advised
> > > > > >
> > > > > > > Also right now if I set up dns on my only server to point to
> > itself it
> > > > > > > uses the private ip address,
> > > > > > Yes, this is how it should be
> > > > > >
> > > > > > > I would like it to use the public IP
> > > > > > > address is this possible?
> > > > > > Why ? What do you feel this will accomplish ??
> > > > > >
> > > > > > > Do I need to create another ip address on
> > > > > > > the server and if so, how do I do that?
> > > > > > It is possible, but it is unnecessary and it introduces issue.
> > > > > > You DC will register all of its IPs in the internal zone, and
> > > > > > so some clients at times might attempt to get to the DC by
> > > > > > use of the public IP
> > > > > >
> > > > > > >
> > > > > > > Thanks in Advance.

• Next message: Manny Rodrigues: "Re: Having A Difficult Time Getting DNS To Work."
• Previous message: sharad: "Re: Having A Difficult Time Getting DNS To Work."
• In reply to: Ben Dewey: "Re: DNS setup recomendations using my isp as the secondary server."
• Next in thread: Roger Abell: "Re: DNS setup recomendations using my isp as the secondary server."
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint