Re: .local and .com
From: Andrew Hodgson (me3_at_privacy.net)
Date: 01/02/05
- Next message: William Stacey [MVP]: "Re: dnscmd: modify an existing resource record in a zone"
- Previous message: Scott Davis: "Re: AD DNS Design"
- In reply to: Scott Davis: "Re: .local and .com"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 02 Jan 2005 12:52:36 +0000
On Sun, 02 Jan 2005 03:43:02 -0500, Scott Davis <sdavis@esctech.ca>
wrote:
>Douglas, Dana,
>
>Some of what Dana's written I agree with 150-ba-zillion-percent.
>
>Some, however, of Dana'a comments, I think are entirely incorrect.
>Dana Brash wrote:
>> Hi Douglas,
>>
>> I would NOT recommend using the .local namespace, but to use create a
>> sub-namespace of your publicly registered namespace. e.g.
>> office.company.com. This is particularly helpful for mobile users so
>> they're not switching back and forth between exchange.company.local and
>> mail.company.com depending on their location.
FWIW, this is the system I use, because I think the .local domain
suffix is uggly. I usually use ad.domain.com.
>
>The alternative is to config the client's outlook with
>"mail.company.com" and provide this name/zone/DNS that when queried
>points to the internal address or external address as required.
Yes; this is what I do. I do provide internal records for domain.com
(on another server) which works grate. The main reason I used
ad.domain.com was due to issues with VPNS not working when I just used
domain.com for our AD zones, as they were using external nameservers
for some lookups.
>
[...]
>In common practice, "company.local" will do some mirroring of
>"company.com". (i.e. mail. or owa. or wm. ) Really, company.local
>should be further obfuscated because MS's products are kinda leaky..
>(i.e. Exchange's SMTP banner).
Banner easy to change, Message-ID is impossible (as far as I have
read), which is another reason I hate .local. At least ad.company.com
looks slightly better for people reading the headers of an Exchange
generated message.
>
>I say you SHOULD use a .local domain name, but it shouldn't be the same
>as your public "presence" name..
Interesting, why not the same as the public name?
>> Split DNS ~ For running internal network in same namespace as internet
>> presence
>>
>> http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.
>>
>> Note that "This is not a recommended configuration" but does come in handy
>> when you're already built up this way..
>
>Okay, again, I disagree with Dana. Not about the use of split named
>DNS, but because of the implicit advocation of ISA as a valid security tool.
Yes; I always protect MS products with a Linux front-end wherever
possible.
[...]
>> Steve makes very solid security recommendations, and I'd like to add one
>> more: hosting web services and mail on your Domain Controller is like
>> painting a target on your forehead. DC's shouldn't be exposed to that sort
>> of traffic for any reason.
>
>Here, I disagree with Dana.
So do I.
>
>The "DCs" in isolation idealogy that Microsoft (and I think Dana)
>espouse is absurd. This is a mentality that MS utilizes to sell more
>ISA licenses. Nothing more.
>
>No kidding, I've thrown out $200/hr MCS (Microsoft Consulting Services)
> dweebs for being so ignorant that they buy into this "isolationist"
>mentality.
>
>
>Really, if I bang up OWA and let that machine refer the authority
>queries back to my DC that's behind some stateful inspection device, how
>is this magically more secure than letting people query that DC directly?
My thoughts entirely.
[Snip rest of interesting discussion]
Andrew.
-- Andrew Hodgson in Bromyard, Herefordshire, UK. My Email: use <andrew at hodgsonfamily dot org>.
- Next message: William Stacey [MVP]: "Re: dnscmd: modify an existing resource record in a zone"
- Previous message: Scott Davis: "Re: AD DNS Design"
- In reply to: Scott Davis: "Re: .local and .com"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
